CVE-2026-52806 Google Chronicle · YARA-L

Detect CVE-2026-52806: Gogs RCE via git rebase --exec Argument Injection in PR Merge in Google Chronicle

Detects exploitation of CVE-2026-52806, a critical command injection vulnerability (CWE-77) in Gogs versions prior to 0.14.3. An attacker can inject arbitrary shell commands via the git rebase --exec argument during pull request merge operations, leading to remote code execution on the Gogs server. A public PoC is available.

MITRE ATT&CK

Tactic
Execution Persistence Lateral Movement

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cve_2026_52806_gogs_rebase_exec_injection {
  meta:
    author = "df00tech Detection Platform"
    description = "Detects CVE-2026-52806 git rebase --exec argument injection via Gogs pull request merge"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9"

  events:
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and $e1.target.process.command_line = /git\s+rebase.*--exec/
    )
    or
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and $e1.principal.process.file.full_path = /gogs/
      and (
        $e1.target.process.file.full_path = /\/(bash|sh|curl|wget|nc|ncat|python[0-9.]*|perl)$/
        or $e1.target.process.file.full_path = /\\(cmd\.exe|powershell\.exe)$/
      )
    )

  condition:
    $e1
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting git rebase --exec argument injection and suspicious child processes spawned from Gogs, covering the CVE-2026-52806 RCE attack pattern.

Data Sources

Chronicle UDMGoogle Security Operations EDR

Required Tables

UDM Events

False Positives & Tuning

  • Legitimate git rebase --exec invocations by developers where Gogs is installed on the same endpoint
  • Authorized scripts run under the Gogs process for repository maintenance or plugin operations
  • CI runners sharing the Gogs host user context and invoking shell utilities as part of builds

Other platforms for CVE-2026-52806

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate git rebase --exec argument injection via crafted PR branch name

    Expected signal: Process creation event: git with args [rebase, --exec, id > /tmp/cve_rce_proof.txt, target]; child process creation: sh -c 'id > /tmp/cve_rce_proof.txt'; file creation event at /tmp/cve_rce_proof.txt

  2. Test 2Gogs suspicious child process simulation — reverse shell via curl

    Expected signal: Process creation event showing bash or curl with parent process name 'gogs'; network connection attempt from gogs-named process to 127.0.0.1:9999

  3. Test 3Persistence via cron injection post-Gogs RCE simulation

    Expected signal: Process creation: git rebase --exec with crontab modification command; crontab process invocation; file write to /tmp/cve_persist_marker.txt; audit log entry for crontab modification

Last updated: 2026-06-25 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-52806 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1072Software Deployment ToolsT1505.003Web Shell

Same Tactic: Execution

Popular Detections