Gogs Path Traversal in Organization Name Leading to RCE via Git Hooks
CVE-2026-52813 is a critical path traversal vulnerability (CVSS 10.0) in Gogs versions prior to 0.14.3. An attacker can craft a malicious organization name containing path traversal sequences (e.g., '../') to write arbitrary Git hook files outside the intended repository directory. This allows remote code execution on the Gogs server by placing executable hook scripts in controlled locations. A public PoC is available, making active exploitation likely.
Vulnerability Intelligence
Public PoCAffected Software
- Vendor
- go
- Product
- gogs.io/gogs
- Versions
- < 0.14.3
Weakness (CWE)
Timeline
- Disclosed
- June 23, 2026
References & Proof of Concept
What is CVE-2026-52813 Gogs Path Traversal in Organization Name Leading to RCE via Git Hooks?
Gogs Path Traversal in Organization Name Leading to RCE via Git Hooks (CVE-2026-52813) maps to the Initial Access and Execution and Persistence and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Gogs Path Traversal in Organization Name Leading to RCE via Git Hooks, covering the data sources and telemetry it touches: W3CIISLog, Syslog, SecurityEvent, AuditLogs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union isfuzzy=true
(
W3CIISLog
| where csUriStem has_any ("/org/create", "/api/v1/orgs")
and (csUriQuery has ".." or csUriQuery matches regex @"[%2F]{2,}|\.\.[\/\\]")
| project TimeGenerated, Computer, cIP, csMethod, csUriStem, csUriQuery, scStatus, csUserAgent
| extend AlertDetail = "Potential path traversal in Gogs org name via HTTP request"
),
(
Syslog
| where ProcessName =~ "gogs" or SyslogMessage has "gogs"
| where SyslogMessage has_any ("..", "../", "..%2F", "..%5C")
and SyslogMessage has_any ("org", "organization", "hook")
| project TimeGenerated, Computer, HostName, SyslogMessage
| extend AlertDetail = "Gogs process log shows path traversal in org/hook context"
),
(
SecurityEvent
| where EventID in (4688, 4663)
| where (NewProcessName has "gogs" or ProcessName has "gogs")
or (ObjectName has ".git" and ObjectName has "hooks")
| project TimeGenerated, Computer, Account, EventID, NewProcessName, CommandLine, ObjectName
| extend AlertDetail = "Process or file event associated with Gogs Git hook path"
)
| extend CVE = "CVE-2026-52813"
| sort by TimeGenerated descDetects potential exploitation of CVE-2026-52813 by monitoring for path traversal sequences in HTTP requests targeting Gogs organization creation endpoints, Gogs process log anomalies, and suspicious file/process activity around .git/hooks directories.
Data Sources
Required Tables
False Positives
- Legitimate security scanners or penetration testing tools probing the Gogs instance
- Automated CI/CD systems that interact with Gogs org APIs with unusual query strings
- Admin users creating organizations with names that coincidentally contain dots or slashes in encoded form
- Log parsing tools that process raw hook paths during backup or migration tasks
Sigma rule & cross-platform mapping
The detection logic for Gogs Path Traversal in Organization Name Leading to RCE via Git Hooks (CVE-2026-52813) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azureBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-52813
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Gogs Org Creation with Path Traversal Name (Unauthenticated PoC)
Expected signal: HTTP POST to /api/v1/orgs with path traversal in username field; possible filesystem write to .git/hooks/ outside expected path; Gogs process creating files in unexpected directories
- Test 2Manual Git Hook File Placement via Traversal (Filesystem Simulation)
Expected signal: File creation event for executable file in .git/hooks path; auditd syscall write/chmod events; inotify events if configured on Gogs data directory
- Test 3Verify Gogs Version and Patch Status
Expected signal: HTTP GET requests to Gogs API version endpoint; web scraping of Gogs home page; process execution of gogs binary with --version flag
- Test 4Post-Exploitation: Execute Command via Planted Git Hook
Expected signal: Git push operation triggering hook execution; child process spawned by Gogs with UID of Gogs service; file write to /tmp/rce_proof.txt; network connection from Gogs process if hook establishes reverse shell
Unlock Pro Content
Get the full detection package for CVE-2026-52813 including response playbook, investigation guide, and atomic red team tests.