Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-52796

CVE-2026-52796: Gogs Git Service DoS Vulnerability

CVE-2026-52796 is a denial of service vulnerability in Gogs self-hosted Git service caused by malformed issue index patterns triggering panics. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-52796 Overview

CVE-2026-52796 affects Gogs, an open source self-hosted Git service. Versions prior to 0.14.3 contain a flaw in the issue index pattern rendering logic. A specially crafted pattern triggers a runtime panic in RenderIssueIndexPattern, producing a denial of service condition. Any repository page containing an issue index reference such as #1 becomes unavailable once the malicious pattern is set. The maintainers fixed the issue in version 0.14.3.

Critical Impact

Authenticated users with permission to configure repository issue patterns can render affected pages permanently unavailable until administrators intervene.

Affected Products

  • Gogs versions prior to 0.14.3
  • Self-hosted Gogs Git service instances
  • Repositories with configurable issue index patterns

Discovery Timeline

  • 2026-06-24 - CVE-2026-52796 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-52796

Vulnerability Analysis

The flaw resides in internal/markup/markup.go within the RenderIssueIndexPattern function. The function expands a configurable template using com.Expand, which does not safely validate template syntax. When the configured pattern contains an opening brace { but no matching closing brace }, strings.Index(template, "}") returns -1. The subsequent slice operation template[:-1] triggers a Go runtime panic.

This vulnerability falls under [CWE-1336] (Improper Neutralization of Special Elements Used in a Template Engine). The panic propagates up through the rendering pipeline, breaking any page that attempts to expand an issue reference such as #1.

Root Cause

The root cause is missing input validation on the issue index pattern template. The rendering function assumes well-formed templates with matched braces. It does not check the return value of strings.Index before performing slice arithmetic. An attacker who sets a malformed template forces a negative index slice, which Go treats as a runtime panic rather than a recoverable error.

Attack Vector

An authenticated user with rights to configure a repository's external issue tracker pattern submits a template containing an unmatched { character. After saving the pattern, any subsequent request that renders content with an issue reference triggers the panic. The affected pages remain unavailable until an administrator corrects or removes the malicious pattern. User interaction is required to trigger rendering on affected pages.

The vulnerability is described in prose because no public proof-of-concept code was identified. See the GitHub Security Advisory for additional technical context.

Detection Methods for CVE-2026-52796

Indicators of Compromise

  • Gogs application logs containing Go runtime panic traces referencing RenderIssueIndexPattern or internal/markup/markup.go
  • HTTP 500 responses on repository pages that contain issue references such as #1
  • Repository configuration changes setting an external issue tracker pattern containing an unmatched { character

Detection Strategies

  • Monitor Gogs server logs for repeated panic stack traces tied to markup rendering
  • Audit recent changes to repository settings, specifically external tracker URL formats and issue index patterns
  • Correlate authenticated user activity with subsequent rendering failures on affected repositories

Monitoring Recommendations

  • Forward Gogs application and reverse proxy logs to a centralized logging or SIEM platform for panic pattern alerting
  • Track HTTP 5xx error rates per repository to identify localized rendering failures
  • Alert on configuration changes to issue pattern templates by non-administrative accounts

How to Mitigate CVE-2026-52796

Immediate Actions Required

  • Upgrade Gogs to version 0.14.3 or later, which contains the fix for RenderIssueIndexPattern
  • Audit existing repository configurations for malformed issue index patterns and remove or correct them
  • Restrict repository administrative permissions to trusted users until patching completes

Patch Information

The vulnerability is fixed in Gogs version 0.14.3. Administrators should review the GitHub Security Advisory GHSA-4j89-2c4f-44c6 for upgrade guidance and release notes.

Workarounds

  • Manually inspect and reset any repository issue index pattern containing an unmatched { character
  • Limit who can modify external tracker settings on each repository to reduce the attack surface
  • Monitor application logs for panic conditions and restart the Gogs service if pages become unavailable

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.