HomeCVE Intelligence › CVE-2026-52801
CVSS 8.1 HIGH Vulnerability

CVE-2026-52801: Gogs has the ability to import local repositories via Mirror Settings

Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of val…

8.1CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-52801
Vendorgo
Affected Productgogs.io/gogs
Vulnerability TypeVulnerability
CVSS Score8.1 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary

The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function.

Details

Here is the function implementation of the secure New Migration functionality. Here is the function implementation of the Mirror Settings without any validation.

PoC

The New Migration feature correctly blocked my attempt to import a local repository. But if I create a normal migration with a valid repository. Then, I could use the Mirror Settings feature under the Repository Settings sync a local repository. Here is the result after the sync.

Impact

Users can import local repositories from the server's filesystem, whic

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-52801 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence