CVE-2026-52810
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorized POST …/git-receive-pack using the client-supplied service query string, allowing push where only read should be allowed.
Risk Assessment
This vulnerability may lead to unauthorized changes in repositories, posing a risk to data integrity and potential security breaches.
Recommendation
It is recommended to upgrade Gogs to version 0.14.3 or later to mitigate this vulnerability.
Original NVD description (English source)
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string (so ?service=git-upload-pack is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. This vulnerability is fixed in 0.14.3.

