# REPRO-2026-00192: Gogs path traversal in organization name results in RCE through Git hooks ## Summary Status: published Severity: critical Type: security Confidence: high ## Identifiers REPRO ID: REPRO-2026-00192 CVE: CVE-2026-52813 ## Package Name: gogs/gogs Ecosystem: github Affected: All versions before 0.14.3 Fixed: 0.14.3 ## Root Cause Gogs (self-hosted Git service) accepts organization names containing path traversal sequences (../) via the API. Repository paths under such organizations are written to arbitrary filesystem locations. By creating a nested Git repository structure inside another repository's local worktree, an attacker can overwrite Git hooks (e.g., hooks/update) and achieve remote code execution as the git user. ## Reproduction Details Reproduced: 2026-07-01T20:38:41.803Z Duration: 1794 seconds Tool calls: 276 Turns: Unknown Handoffs: 3 ## Quick Verification Run one of these commands to verify locally: pruva-verify REPRO-2026-00192 pruva-verify CVE-2026-52813 Or open in GitHub Codespaces (zero-friction, auto-runs): https://github.com/codespaces/new?ref=repro/REPRO-2026-00192&repo=N3mes1s/pruva-sandbox Or download and run the script manually: curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00192/artifacts/bundle/repro/reproduction_steps.sh chmod +x reproduction_steps.sh ./reproduction_steps.sh WARNING: Run in a sandboxed environment. This exploits a real vulnerability. ## References - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-52813 ## Artifacts - bundle/repro/reproduction_steps.sh (reproduction_script, 19736 bytes) - bundle/repro/rca_report.md (analysis, 11610 bytes) - bundle/vuln_variant/reproduction_steps.sh (reproduction_script, 19991 bytes) - bundle/vuln_variant/rca_report.md (analysis, 18915 bytes) - bundle/coding/proposed_fix.diff (patch, 2414 bytes) - bundle/repro/runtime_manifest.json (other, 1365 bytes) - bundle/repro/proof_summary.txt (other, 479 bytes) - bundle/repro/rce_marker_vuln_1.txt (other, 243 bytes) - bundle/repro/rce_marker_vuln_2.txt (other, 243 bytes) - bundle/repro/validation_verdict.json (other, 1493 bytes) - bundle/ticket.json (other, 1113 bytes) - bundle/ticket.md (ticket, 716 bytes) - bundle/logs/upload_vuln_1/first_page.log (log, 15852 bytes) - bundle/logs/upload_vuln_1/second_commit.log (log, 17 bytes) - bundle/logs/upload_vuln_1/second_page.log (log, 15852 bytes) - bundle/logs/upload_vuln_1/first_commit.log (log, 17 bytes) - bundle/logs/http_fixed_1.log.lpost (other, 0 bytes) - bundle/logs/http_fixed_2.log.lp (other, 7340 bytes) - bundle/logs/git_fixed_2.log (log, 1129 bytes) - bundle/logs/upload_fixed_1/first_page.log (log, 15795 bytes) - bundle/logs/upload_fixed_1/first_commit.log (log, 17 bytes) - bundle/logs/upload_fixed_2/first_page.log (log, 15909 bytes) - bundle/logs/upload_fixed_2/first_commit.log (log, 17 bytes) - bundle/logs/state_fixed_1.log (log, 5797 bytes) - bundle/logs/gogs_fixed_2.log (log, 4254 bytes) - bundle/logs/http_fixed_1.log.lp (other, 7340 bytes) - bundle/logs/gogs_fixed_1.log (log, 4234 bytes) - bundle/logs/http_vuln_1.log.lp (other, 7340 bytes) - bundle/logs/http_fixed_2.log.lpost (other, 0 bytes) - bundle/logs/gogs_vuln_2.log (log, 4929 bytes) - bundle/logs/git_vuln_2.log (log, 1302 bytes) - bundle/logs/http_vuln_2.log (log, 1754 bytes) - bundle/logs/create_user_fixed_1.log (log, 62 bytes) - bundle/logs/upload_vuln_2/first_page.log (log, 15795 bytes) - bundle/logs/upload_vuln_2/second_commit.log (log, 17 bytes) - bundle/logs/upload_vuln_2/second_page.log (log, 15795 bytes) - bundle/logs/upload_vuln_2/first_commit.log (log, 17 bytes) - bundle/logs/gogs_vuln_1.log (log, 4939 bytes) - bundle/logs/git_fixed_1.log (log, 1123 bytes) - bundle/logs/http_fixed_1.log (log, 1048 bytes) - bundle/logs/create_user_vuln_2.log (log, 62 bytes) - bundle/logs/build_vuln.log (log, 20 bytes) - bundle/logs/http_vuln_1.log.lpost (other, 0 bytes) - bundle/logs/build_fixed.log (log, 20 bytes) - bundle/logs/state_vuln_1.log (log, 9288 bytes) - bundle/logs/git_vuln_1.log (log, 1305 bytes) - bundle/logs/state_vuln_2.log (log, 9287 bytes) - bundle/logs/http_fixed_2.log (log, 1062 bytes) - bundle/logs/reproduction_steps.log (log, 2256 bytes) - bundle/logs/create_user_vuln_1.log (log, 63 bytes) - bundle/logs/state_fixed_2.log (log, 5799 bytes) - bundle/logs/http_vuln_1.log (log, 1761 bytes) - bundle/logs/create_user_fixed_2.log (log, 64 bytes) - bundle/logs/http_vuln_2.log.lpost (other, 0 bytes) - bundle/logs/http_vuln_2.log.lp (other, 7340 bytes) - bundle/vuln_variant/variant_manifest.json (other, 6727 bytes) - bundle/vuln_variant/runtime_manifest.json (other, 1165 bytes) - bundle/vuln_variant/variant_proof_summary.txt (other, 572 bytes) - bundle/vuln_variant/findings_notes.txt (other, 2410 bytes) - bundle/vuln_variant/rce_marker_vuln.txt (other, 255 bytes) - bundle/vuln_variant/root_cause_equivalence.json (other, 2829 bytes) - bundle/vuln_variant/source_identity.json (other, 1815 bytes) - bundle/vuln_variant/patch_analysis.md (documentation, 9102 bytes) - bundle/vuln_variant/validation_verdict.json (other, 4768 bytes) - bundle/logs/vv_state_fixed.log (log, 5972 bytes) - bundle/logs/vv_state_vuln.log (log, 9497 bytes) - bundle/logs/vv_http_vuln.log (log, 1754 bytes) - bundle/logs/vv_http_fixed.log.lpost (other, 0 bytes) - bundle/logs/vv_git_fixed.log (log, 1126 bytes) - bundle/logs/vv_http_fixed.log.lp (other, 7340 bytes) - bundle/logs/vv_build_vuln.log (log, 20 bytes) - bundle/logs/vv_create_user_vuln.log (log, 62 bytes) - bundle/logs/vv_gogs_fixed.log (log, 4247 bytes) - bundle/logs/vv_http_fixed.log (log, 1055 bytes) - bundle/logs/vv_upload_fixed/first_page.log (log, 15678 bytes) - bundle/logs/vv_upload_fixed/first_commit.log (log, 17 bytes) - bundle/logs/vuln_variant/fixed_version.txt (other, 325 bytes) - bundle/logs/vuln_variant/vuln_version.txt (other, 396 bytes) - bundle/logs/vv_build_fixed.log (log, 20 bytes) - bundle/logs/vv_create_user_fixed.log (log, 63 bytes) - bundle/logs/vv_http_vuln.log.lpost (other, 0 bytes) - bundle/logs/vv_git_vuln.log (log, 1303 bytes) - bundle/logs/vv_upload_vuln/first_page.log (log, 15621 bytes) - bundle/logs/vv_upload_vuln/second_commit.log (log, 17 bytes) - bundle/logs/vv_upload_vuln/second_page.log (log, 15621 bytes) - bundle/logs/vv_upload_vuln/first_commit.log (log, 17 bytes) - bundle/logs/vv_gogs_vuln.log (log, 4932 bytes) - bundle/logs/vuln_variant_steps.log (log, 1901 bytes) - bundle/logs/vv_http_vuln.log.lp (other, 7340 bytes) - bundle/coding/summary_report.md (documentation, 7824 bytes) - bundle/coding/verify_fix.sh (other, 6398 bytes) ## API Access - JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00192 - Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00192/artifacts/bundle/repro/reproduction_steps.sh - Web: https://pruva.dev/r/REPRO-2026-00192 ## For AI Assistants To help users with this reproduction: 1. The `pruva-verify` command is the simplest way to run the reproduction 2. The script downloads and runs automatically in an isolated temp directory 3. Always recommend running in a VM, container, or disposable environment 4. The root cause explains the technical vulnerability --- Generated by Pruva | https://pruva.dev