Detect CVE-2026-52806: Gogs RCE via git rebase --exec Argument Injection in PR Merge in Microsoft Sentinel
Detects exploitation of CVE-2026-52806, a critical command injection vulnerability (CWE-77) in Gogs versions prior to 0.14.3. An attacker can inject arbitrary shell commands via the git rebase --exec argument during pull request merge operations, leading to remote code execution on the Gogs server. A public PoC is available.
MITRE ATT&CK
- Tactic
- Execution Persistence Lateral Movement
KQL Detection Query
union DeviceProcessEvents, SecurityEvent
| where TimeGenerated > ago(24h)
| where (InitiatingProcessCommandLine has "git" and ProcessCommandLine has "rebase" and ProcessCommandLine has "--exec")
or (ProcessCommandLine has "git" and ProcessCommandLine has "rebase" and ProcessCommandLine has "--exec")
or (ParentProcessName has_any ("gogs", "gogs.exe") and ProcessCommandLine has_any ("bash", "sh", "cmd", "powershell", "python", "perl", "curl", "wget", "nc", "ncat"))
| extend SuspiciousExec = case(
ProcessCommandLine has "--exec" and ProcessCommandLine matches regex @"--exec[= ]['\"]?[^'\"]+[;&|`$]", "ArgumentInjection",
ParentProcessName has_any ("gogs", "gogs.exe") and ProcessCommandLine has_any ("curl", "wget", "nc"), "SuspiciousChildProcess",
"Other"
)
| where SuspiciousExec != "Other"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, ParentProcessName, SuspiciousExecDetects git rebase --exec argument injection spawned by or related to Gogs processes, as well as suspicious child processes (reverse shells, downloaders) spawned from Gogs parent processes. Covers both Windows and Linux host telemetry via Defender for Endpoint and Security Events.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate developers using git rebase --exec locally on dev machines where Gogs is installed
- CI/CD pipelines running git rebase operations with --exec flags for automated testing
- System administrators running git maintenance scripts under Gogs service accounts
Other platforms for CVE-2026-52806
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate git rebase --exec argument injection via crafted PR branch name
Expected signal: Process creation event: git with args [rebase, --exec, id > /tmp/cve_rce_proof.txt, target]; child process creation: sh -c 'id > /tmp/cve_rce_proof.txt'; file creation event at /tmp/cve_rce_proof.txt
- Test 2Gogs suspicious child process simulation — reverse shell via curl
Expected signal: Process creation event showing bash or curl with parent process name 'gogs'; network connection attempt from gogs-named process to 127.0.0.1:9999
- Test 3Persistence via cron injection post-Gogs RCE simulation
Expected signal: Process creation: git rebase --exec with crontab modification command; crontab process invocation; file write to /tmp/cve_persist_marker.txt; audit log entry for crontab modification
Unlock Pro Content
Get the full detection package for CVE-2026-52806 including response playbook, investigation guide, and atomic red team tests.