GHSA-wv27-2vqp-j7g5

Suggest an improvement
Source
https://github.com/advisories/GHSA-wv27-2vqp-j7g5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wv27-2vqp-j7g5/GHSA-wv27-2vqp-j7g5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wv27-2vqp-j7g5
Aliases
  • CVE-2026-52801
Published
2026-06-23T00:03:43Z
Modified
2026-06-23T00:15:07.084378840Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
Gogs has the ability to import local repositories via Mirror Settings
Details

Summary

The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function.

Details

Here is the function implementation of the secure New Migration functionality. <img width="1200" height="755" alt="image" src="https://github.com/user-attachments/assets/a6c2f307-715e-4451-bbc1-7bd934d56f96" />

Here is the function implementation of the Mirror Settings without any validation. <img width="1200" height="477" alt="image" src="https://github.com/user-attachments/assets/a11c41b8-1d08-499c-bce6-ab40844211d7" />

PoC

The New Migration feature correctly blocked my attempt to import a local repository. <img width="1200" height="1008" alt="image" src="https://github.com/user-attachments/assets/dfc5aa3f-1cc4-427d-b7fe-274363c83c4e" />

But if I create a normal migration with a valid repository. <img width="1200" height="1006" alt="image" src="https://github.com/user-attachments/assets/c96b356e-8ca9-4e79-a69b-ff14593c0cac" />

Then, I could use the Mirror Settings feature under the Repository Settings sync a local repository. <img width="1200" height="476" alt="image" src="https://github.com/user-attachments/assets/9105475c-ae68-4d93-96d5-a3ec356deba7" />

Here is the result after the sync. <img width="1200" height="533" alt="image" src="https://github.com/user-attachments/assets/1df76642-3e55-4493-a422-f7f0619b463d" />

Impact

Users can import local repositories from the server's filesystem, which allows accessing any repository the git user has access to. There is also a potential issue of blind SSRF.

Database specific 
{
    "github_reviewed_at": "2026-06-23T00:03:43Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-20"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}
References

Affected packages

Go / gogs.io/gogs

Package

Name
gogs.io/gogs
View open source insights on deps.dev
Purl
pkg:golang/gogs.io/gogs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.14.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-wv27-2vqp-j7g5/GHSA-wv27-2vqp-j7g5.json"