Listen to this Post
Gogs is a popular, self-hosted Git service written in Go. A critical vulnerability, identified as CVE-2026-52810, has been discovered in its Git Smart HTTP handler. This flaw allows an attacker to bypass authorization checks and gain write access to repositories they should only be able to read.
The root cause lies in how the handler determines the authorization policy for incoming requests. The Git protocol uses two main RPCs over HTTP: `upload-pack` for read operations (like git fetch) and `receive-pack` for write operations (like git push). In the vulnerable Gogs implementation, the system incorrectly derives the access mode from the `service` query parameter (e.g., ?service=git-upload-pack) instead of the actual RPC path being executed.
An attacker can exploit this by sending a `POST` request to the write endpoint (/repo.git/git-receive-pack) but with a query string that indicates a read service (?service=git-upload-pack). The routing logic correctly identifies this as a `receive-pack` operation, but the authorization check is tricked into treating it as a read operation, effectively allowing a push where only read permissions were granted.
This vulnerability is particularly dangerous in two scenarios:
- Read-only Collaborators: A user who has been added as a read-only collaborator to a private repository can exploit this flaw to push code to it.
- Instances with
REQUIRE_SIGNIN_VIEW = true: When this setting is enabled, all repositories are hidden from unauthenticated users. In this case, any authenticated user can exploit this vulnerability to write to any public repository on the instance.
The exploit is not possible on fully public repositories that are viewable by anonymous users, as it would cause a server crash. The official CVE was published on June 19, 2026.
DailyCVE Form
Platform: Gogs
Version: 0.13.4 and below
Vulnerability: Authorization Bypass
Severity: High
date: 2026-06-19
Prediction: 2026-06-26
What Undercode Say:
Undercode’s analysis focuses on the practical exploitation and impact of CVE-2026-52810.
Analytics
The vulnerability stems from a logic flaw where the system trusts a client-controlled parameter (service) for authorization decisions instead of the actual endpoint being accessed. The following proxy script demonstrates how an attacker can manipulate this parameter to escalate privileges.
PoC Proxy Handler Snippet from CVE-2026-52810
This code intercepts and rewrites the request path.
It takes a request to the write endpoint (git-receive-pack)
and adds a query parameter that tricks the server into
authorizing it as a read operation (git-upload-pack).
if path.endswith("/git-receive-pack") and "service=" not in q:
Forge the query string to indicate a read operation
query = f"{q}&service=git-upload-pack" if q else "service=git-upload-pack"
if self.log_rewrite:
sys.stderr.write(f"[bash] rewrite receive-pack -> {path}?{query}\n")
The rest of the request is then relayed to the Gogs server.
End of Snippet
Source: CVE-2026-52810 GitHub Advisory
Exploit:
To exploit this vulnerability, an attacker would perform the following steps:
1. Setup: Identify a target Gogs instance and a repository where they have read-only access (or any repository on an instance with REQUIRE_SIGNIN_VIEW = true).
2. Prepare a Malicious Push: Create a local Git repository with a commit they wish to push.
3. Intercept and Modify the Request: Use a proxy (like the one in the PoC) to intercept the `git push` request. The proxy modifies the request URL from `/repo.git/git-receive-pack` to /repo.git/git-receive-pack?service=git-upload-pack.
4. Execute: The modified request is sent to the Gogs server. The server incorrectly authorizes the write operation, and the attacker’s code is pushed to the repository.
Protection:
To protect against CVE-2026-52810, the following measures are recommended:
1. Patch: Immediately upgrade Gogs to a patched version that correctly authorizes requests based on the RPC path, not the `service` query parameter.
2. Configuration: If an immediate upgrade is not possible, consider disabling the `REQUIRE_SIGNIN_VIEW` setting as a temporary workaround, though this may expose repositories to anonymous users and is not a complete fix.
3. Monitoring: Monitor server logs for unusual `POST` requests to `/git-receive-pack` endpoints that include a `service=git-upload-pack` query parameter, as this is a clear indicator of an attempted exploit.
Impact
The impact of this vulnerability is severe:
Data Integrity: An attacker with read-only access can modify the source code, inject malware, or introduce backdoors into a repository.
Availability: By using `–force` push, an attacker can overwrite the main branch history, potentially causing data loss or disrupting the development workflow.
Privilege Escalation: On instances with REQUIRE_SIGNIN_VIEW = true, the attack surface is widened, as any authenticated user can compromise any public repository.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
