CVE-2026-52806 Overview
CVE-2026-52806 is a critical argument injection vulnerability in Gogs, an open source self-hosted Git service. Versions prior to 0.14.3 allow authenticated users to achieve Remote Code Execution (RCE) on the server. The flaw resides in the "Rebase before merging" pull request merge path, where a specially crafted branch name injects the --exec flag into the underlying git rebase command. Successful exploitation grants attackers code execution under the Gogs server process account. The issue is tracked under CWE-77: Improper Neutralization of Special Elements used in a Command and is fixed in Gogs 0.14.3.
Critical Impact
Authenticated attackers can execute arbitrary commands on the Gogs server by submitting a pull request whose branch name injects arguments into git rebase, leading to full server compromise.
Affected Products
- Gogs self-hosted Git service, all versions prior to 0.14.3
- Deployments exposing pull request merge functionality to authenticated users
- Containerized and bare-metal Gogs installations using the default merge workflow
Discovery Timeline
- 2026-06-24 - CVE-2026-52806 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-52806
Vulnerability Analysis
The vulnerability is an argument injection flaw in the pull request merge logic. When a user selects the "Rebase before merging" strategy, Gogs invokes git with branch names taken directly from user-controlled pull request metadata. Because branch names were passed as positional arguments without an -- end-of-options separator, attackers can supply a name beginning with - to be parsed as a flag. Git's rebase and related porcelain commands honor flags such as --exec, which executes arbitrary shell commands during the rebase sequence. The result is server-side command execution scoped to the Gogs process user, enabling repository tampering, credential theft, and lateral movement.
Root Cause
The root cause is the construction of git command lines using untrusted branch identifiers without argument boundary enforcement. The fix replaces the ad-hoc process.ExecTimeout invocation of git clone with a structured git.Clone call that uses an explicit CloneOptions struct, removing the ability for branch values to be interpreted as command-line switches.
Attack Vector
An authenticated user with permission to create pull requests crafts a head branch whose name starts with --exec= followed by an arbitrary command. When a maintainer triggers the rebase merge, Gogs passes the branch name to git, which executes the embedded command. Exploitation requires only low privileges and no user interaction beyond a normal merge action.
// Security patch in internal/database/pull.go
// Clone the base repository to the defined temporary directory,
// and checks out to base branch directly.
var stderr string
- if _, stderr, err = process.ExecTimeout(5*time.Minute,
- fmt.Sprintf("PullRequest.Merge (git clone): %s", tmpBasePath),
- "git", "clone", "-b", pr.BaseBranch, baseGitRepo.Path(), tmpBasePath); err != nil {
- return errors.Newf("git clone: %s", stderr)
+ if err = git.Clone(baseGitRepo.Path(), tmpBasePath, git.CloneOptions{
+ Branch: pr.BaseBranch,
+ Timeout: 5 * time.Minute,
+ }); err != nil {
+ return errors.Newf("git clone: %v", err)
}
Source: Gogs commit a9dbafb
Detection Methods for CVE-2026-52806
Indicators of Compromise
- Pull request records containing branch names beginning with -, --exec=, or other git flag-like prefixes
- Unexpected child processes spawned by the Gogs binary, such as /bin/sh, curl, wget, or bash during merge operations
- New SSH keys, deploy keys, or webhook endpoints added shortly after a rebase merge event
- Outbound network connections from the Gogs server to untrusted hosts following a merge action
Detection Strategies
- Inspect Gogs application logs and database for pull request head_branch values that fail a strict [A-Za-z0-9._/-] allowlist and do not begin with -
- Audit shell history and process accounting on the Gogs host for git rebase invocations containing --exec
- Correlate authenticated user activity with anomalous process trees descending from the Gogs service
Monitoring Recommendations
- Enable host-based process monitoring on Gogs servers and alert on non-git child processes spawned by the Gogs user
- Forward Gogs access logs and audit events to a centralized SIEM for correlation with branch creation and merge actions
- Baseline normal merge activity and alert on rebase merges originating from newly created low-reputation accounts
How to Mitigate CVE-2026-52806
Immediate Actions Required
- Upgrade Gogs to version 0.14.3 or later on all self-hosted instances
- Restrict pull request creation to trusted users until the patch is applied
- Review existing pull requests for branch names containing -- or shell metacharacters and close any suspicious entries
- Rotate SSH host keys, deploy keys, and API tokens stored on any Gogs server that ran a vulnerable version
Patch Information
The fix is released in Gogs v0.14.3 and applied in commit a9dbafb. The patch refactors merge-time git invocations to use a structured clone API that prevents branch names from being interpreted as command-line flags. Additional context is available in GitHub Security Advisory GHSA-qf6p-p7ww-cwr9 and Pull Request #8301.
Workarounds
- Disable the "Rebase before merging" merge strategy in repository settings where feasible
- Place Gogs behind a reverse proxy that enforces input validation on branch and reference names
- Run the Gogs service under a dedicated, unprivileged user account with no sudo rights and minimal filesystem access
- Apply mandatory access control profiles (AppArmor or SELinux) restricting which binaries the Gogs process may execute
# Verify installed Gogs version and upgrade if vulnerable
gogs --version
# Expected output for a patched system:
# Gogs version 0.14.3
# Container deployments: pull the fixed image and redeploy
docker pull gogs/gogs:0.14.3
docker stop gogs && docker rm gogs
docker run -d --name=gogs -p 3000:3000 -v /var/gogs:/data gogs/gogs:0.14.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

