CVE-2026-52806

CVE-2026-52806: Gogs RCE via git rebase --exec Argument Injection in PR Merge

Execution Persistence Lateral Movement Last updated:

Detects exploitation of CVE-2026-52806, a critical command injection vulnerability (CWE-77) in Gogs versions prior to 0.14.3. An attacker can inject arbitrary shell commands via the git rebase --exec argument during pull request merge operations, leading to remote code execution on the Gogs server. A public PoC is available.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
go
Product
gogs.io/gogs
Versions
< 0.14.3

Weakness (CWE)

CWE-77

Timeline

Disclosed
June 23, 2026

CVSS

9.9
Critical (9.0–10)
Read the write-up →

What is CVE-2026-52806 CVE-2026-52806: Gogs RCE via git rebase --exec Argument Injection in PR Merge?

CVE-2026-52806: Gogs RCE via git rebase --exec Argument Injection in PR Merge (CVE-2026-52806) maps to the Execution and Persistence and Lateral Movement tactics — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-52806: Gogs RCE via git rebase --exec Argument Injection in PR Merge, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Monitor Agent, Windows Security Events. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Execution Persistence Lateral Movement
Microsoft Sentinel / Defender
kusto 
union DeviceProcessEvents, SecurityEvent
| where TimeGenerated > ago(24h)
| where (InitiatingProcessCommandLine has "git" and ProcessCommandLine has "rebase" and ProcessCommandLine has "--exec")
   or (ProcessCommandLine has "git" and ProcessCommandLine has "rebase" and ProcessCommandLine has "--exec")
   or (ParentProcessName has_any ("gogs", "gogs.exe") and ProcessCommandLine has_any ("bash", "sh", "cmd", "powershell", "python", "perl", "curl", "wget", "nc", "ncat"))
| extend SuspiciousExec = case(
    ProcessCommandLine has "--exec" and ProcessCommandLine matches regex @"--exec[= ]['\"]?[^'\"]+[;&|`$]", "ArgumentInjection",
    ParentProcessName has_any ("gogs", "gogs.exe") and ProcessCommandLine has_any ("curl", "wget", "nc"), "SuspiciousChildProcess",
    "Other"
  )
| where SuspiciousExec != "Other"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, ParentProcessName, SuspiciousExec

Detects git rebase --exec argument injection spawned by or related to Gogs processes, as well as suspicious child processes (reverse shells, downloaders) spawned from Gogs parent processes. Covers both Windows and Linux host telemetry via Defender for Endpoint and Security Events.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Azure Monitor Agent Windows Security Events

Required Tables

DeviceProcessEvents SecurityEvent

False Positives

  • Legitimate developers using git rebase --exec locally on dev machines where Gogs is installed
  • CI/CD pipelines running git rebase operations with --exec flags for automated testing
  • System administrators running git maintenance scripts under Gogs service accounts

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-52806: Gogs RCE via git rebase --exec Argument Injection in PR Merge (CVE-2026-52806) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-52806 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-52806

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-25 Research depth: standard
References (5)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate git rebase --exec argument injection via crafted PR branch name

    Expected signal: Process creation event: git with args [rebase, --exec, id > /tmp/cve_rce_proof.txt, target]; child process creation: sh -c 'id > /tmp/cve_rce_proof.txt'; file creation event at /tmp/cve_rce_proof.txt

  2. Test 2Gogs suspicious child process simulation — reverse shell via curl

    Expected signal: Process creation event showing bash or curl with parent process name 'gogs'; network connection attempt from gogs-named process to 127.0.0.1:9999

  3. Test 3Persistence via cron injection post-Gogs RCE simulation

    Expected signal: Process creation: git rebase --exec with crontab modification command; crontab process invocation; file write to /tmp/cve_persist_marker.txt; audit log entry for crontab modification

Unlock Pro Content

Get the full detection package for CVE-2026-52806 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1072Software Deployment ToolsT1505.003Web Shell

Same Tactic: Execution

Popular Detections