CVE-2026-24135 Overview
A path traversal vulnerability has been identified in Gogs, a popular open source self-hosted Git service. The vulnerability exists in the updateWikiPage function and allows authenticated users with write access to a repository's wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This represents a significant security risk as it could lead to system compromise, data loss, or service disruption.
Critical Impact
Authenticated attackers with wiki write access can delete arbitrary files on the server, potentially causing data loss, system instability, or complete service disruption.
Affected Products
- Gogs version 0.13.3 and prior versions
- All Gogs installations with wiki functionality enabled
Discovery Timeline
- 2026-02-06 - CVE-2026-24135 published to NVD
- 2026-02-06 - Last updated in NVD database
Technical Details for CVE-2026-24135
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), which occurs when user-supplied input is used to construct a file path without proper sanitization. In the context of Gogs, the updateWikiPage function fails to adequately validate the old_title parameter, allowing attackers to inject path traversal sequences (such as ../) to reference files outside the intended wiki directory.
The attack requires authentication and write access to a repository's wiki, which limits the attack surface but does not eliminate the risk. Many organizations allow external contributors or have permissive access controls on wiki content, making this vulnerability exploitable in real-world scenarios.
Root Cause
The root cause of this vulnerability lies in insufficient input validation within the updateWikiPage function. When processing the old_title parameter during wiki page editing operations, the function does not properly sanitize or validate the input to prevent directory traversal sequences. This allows an attacker to craft malicious input that references files outside the wiki directory structure, enabling arbitrary file deletion on the server's filesystem.
Attack Vector
The attack is network-accessible and requires low privileges (authenticated user with wiki write access). An attacker would:
- Authenticate to the Gogs instance with an account that has write access to a repository's wiki
- Navigate to the wiki editing functionality
- Manipulate the old_title parameter to include path traversal sequences (e.g., ../../etc/important_file)
- Submit the form to trigger the file deletion operation on the targeted file path
The vulnerability mechanism involves the manipulation of the old_title parameter in the wiki editing form. When a user edits a wiki page, the function processes the old title to handle page renames. By injecting path traversal sequences into this parameter, an attacker can reference and delete files outside the intended wiki directory. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-24135
Indicators of Compromise
- Unexpected file deletions or missing system files on the Gogs server
- Wiki page edit requests containing path traversal sequences (../, ..%2f, or similar encodings) in the old_title parameter
- Unusual patterns in web server access logs showing manipulation of wiki edit endpoints
- System integrity check failures indicating unauthorized file modifications
Detection Strategies
- Monitor HTTP request parameters for path traversal patterns in wiki-related endpoints
- Implement file integrity monitoring (FIM) on critical server files and directories
- Review Gogs application logs for anomalous wiki editing activity
- Deploy web application firewall (WAF) rules to detect and block path traversal attempts
Monitoring Recommendations
- Enable detailed logging for all wiki operations in Gogs
- Set up alerts for file deletion events outside of normal wiki directories
- Monitor user activity logs for accounts with wiki write access
- Implement real-time log analysis to detect path traversal attack patterns
How to Mitigate CVE-2026-24135
Immediate Actions Required
- Upgrade Gogs to version 0.13.4 or later immediately
- Review and restrict wiki write access permissions to trusted users only
- Audit existing wiki content for any signs of exploitation
- Back up critical server files and implement file integrity monitoring
Patch Information
The Gogs development team has released security patches addressing this vulnerability. Users should upgrade to version 0.13.4 or any version in the 0.14.0+dev series. The patch implements proper input validation for the old_title parameter, preventing path traversal attacks. For complete patch details, refer to the GitHub Security Advisory.
Workarounds
- Temporarily disable wiki functionality if upgrading is not immediately possible
- Implement strict access controls to limit wiki write permissions to highly trusted users
- Deploy a web application firewall (WAF) with rules to block path traversal attempts
- Consider running Gogs in a containerized environment with restricted filesystem access
# Configuration example - Restricting wiki access via repository settings
# Navigate to Repository Settings > Wiki and disable public wiki editing
# Or restrict access to repository collaborators only
# For Docker deployments, consider limiting container filesystem access
docker run --read-only \
--mount type=tmpfs,destination=/tmp \
--mount type=volume,source=gogs-data,target=/data \
gogs/gogs:0.13.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
