logo

Database

Lack of data validation In gogs.io/gogs

Description

Gogs has the ability to import local repositories via Mirror Settings

Summary

The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function.

Details

Here is the function implementation of the secure New Migration functionality. image

Here is the function implementation of the Mirror Settings without any validation. image

PoC

The New Migration feature correctly blocked my attempt to import a local repository. image

But if I create a normal migration with a valid repository. image

Then, I could use the Mirror Settings feature under the Repository Settings sync a local repository. image

Here is the result after the sync. image

Impact

Users can import local repositories from the server's filesystem, which allows accessing any repository the git user has access to. There is also a potential issue of blind SSRF.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-528012. NVD-2026-528013. OSV-2026-528014. GHSA-wv27-2vqp-j7g55. GCVE-2026-52801

References

1. https://github.com/gogs/gogs/security/advisories/GHSA-wv27-2vqp-j7g52. https://github.com/gogs/gogs/pull/82253. https://github.com/gogs/gogs/commit/11e19f28b5c82466fd1689c94344ef4313ee986c4. https://github.com/gogs/gogs/releases/tag/v0.14.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.