CVE-2026-52811

Name of the Vulnerable Software and Affected Versions Gogs versions 0.14.0 through 0.14.2

Description An issue exists where the UploadRepoFiles function only checks for symbolic links at the leaf of the upload target using osx.IsSymlink(), unlike other functions that validate every component of the path. An attacker with repository write access can exploit this by performing a multipart upload with a filename containing a literal backslash. On Linux and macOS, filepath.Base preserves backslashes, which are subsequently converted to forward slashes by pathx.Clean(). This allows the attacker to redirect the write operation through a previously committed directory symlink.

Because iox.CopyFile() uses os.Create() without the O NOFOLLOW flag, the kernel follows the parent symlink, enabling the attacker to write arbitrary bytes to any location the Gogs UID has permissions to access. Potential targets include ~git/.ssh/authorized keys to gain SSH access or <repo>.git/hooks/post-receive to achieve remote code execution (RCE) on the next push. Windows builds are not affected due to different handling of path separators and default git configurations.

Recommendations For versions 0.14.0 through 0.14.2: