CVE-2026-52810

Name of the Vulnerable Software and Affected Versions Gogs (affected versions not specified)

Description Gogs contains an authorization bypass in its Git Smart HTTP handler for repository RPCs. The system determines the authorization policy based on the client-supplied service query parameter rather than the actual RPC path being executed. Specifically, a request sent to the write endpoint '/repo.git/git-receive-pack' can be incorrectly treated as a read operation if the service parameter is set to git-upload-pack (which is used for fetch/read operations).

While the authorization is evaluated as a read operation, the route dispatch still executes the receive-pack code path, allowing users with only read permissions to write to a repository. This is particularly impactful in instances where REQUIRE SIGNIN VIEW is set to true, as any signed-in user could potentially write to any public repository. Additionally, the use of force push could lead to data loss or availability issues by overriding existing code without leaving a history.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.