Detect Gogs Path Traversal in Organization Name Leading to RCE via Git Hooks in Google Chronicle
CVE-2026-52813 is a critical path traversal vulnerability (CVSS 10.0) in Gogs versions prior to 0.14.3. An attacker can craft a malicious organization name containing path traversal sequences (e.g., '../') to write arbitrary Git hook files outside the intended repository directory. This allows remote code execution on the Gogs server by placing executable hook scripts in controlled locations. A public PoC is available, making active exploitation likely.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_52813_gogs_path_traversal_rce {
meta:
author = "df00tech Detection Engineering"
description = "Detects exploitation of CVE-2026-52813: path traversal in Gogs organization name leading to RCE via Git hooks"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://github.com/gogs/gogs/security/advisories/GHSA-c39w-43gm-34h5"
events:
(
$e1.metadata.event_type = "NETWORK_HTTP"
and (
re.regex($e1.network.http.request_url, `(?i)(org|organization|api/v1/orgs)`)
)
and (
re.regex($e1.network.http.request_url, `(\.\./|\.\\|%2e%2e%2f|%2e%2e%5c|\.\.%2f|\.\.%5c)`)
or re.regex($e1.network.http.request_body, `(\.\./|\.\\|%2e%2e)`)
)
)
or
(
$e1.metadata.event_type = "FILE_CREATION"
and re.regex($e1.target.file.full_path, `(?i)\.git[/\\]hooks[/\\]`)
and $e1.principal.process.file.full_path != ""
and re.regex($e1.principal.process.file.full_path, `(?i)gogs`)
)
condition:
$e1
}Chronicle YARA-L rule detecting path traversal HTTP requests to Gogs organization endpoints and Gogs-initiated Git hook file creation events, flagging potential CVE-2026-52813 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Automated Git repository provisioning systems that create hook files via Gogs
- Security scanning tools that test for path traversal as part of routine assessments
- Developers using Gogs API with URL-encoded special characters for legitimate org management
- Backup restoration workflows that recreate Git hook directories through Gogs
Other platforms for CVE-2026-52813
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Gogs Org Creation with Path Traversal Name (Unauthenticated PoC)
Expected signal: HTTP POST to /api/v1/orgs with path traversal in username field; possible filesystem write to .git/hooks/ outside expected path; Gogs process creating files in unexpected directories
- Test 2Manual Git Hook File Placement via Traversal (Filesystem Simulation)
Expected signal: File creation event for executable file in .git/hooks path; auditd syscall write/chmod events; inotify events if configured on Gogs data directory
- Test 3Verify Gogs Version and Patch Status
Expected signal: HTTP GET requests to Gogs API version endpoint; web scraping of Gogs home page; process execution of gogs binary with --version flag
- Test 4Post-Exploitation: Execute Command via Planted Git Hook
Expected signal: Git push operation triggering hook execution; child process spawned by Gogs with UID of Gogs service; file write to /tmp/rce_proof.txt; network connection from Gogs process if hook establishes reverse shell
Unlock Pro Content
Get the full detection package for CVE-2026-52813 including response playbook, investigation guide, and atomic red team tests.