{"repro_id":"REPRO-2026-00192","version":87,"title":"Gogs path traversal in organization name results in RCE through Git hooks","repro_type":"security","status":"published","severity":"critical","description":"Gogs (self-hosted Git service) accepts organization names containing path traversal sequences (../) via the API. Repository paths under such organizations are written to arbitrary filesystem locations. By creating a nested Git repository structure inside another repository's local worktree, an attacker can overwrite Git hooks (e.g., hooks/update) and achieve remote code execution as the git user.","root_cause":"Gogs (self-hosted Git service) accepts organization names containing path traversal sequences (../) via the API. Repository paths under such organizations are written to arbitrary filesystem locations. By creating a nested Git repository structure inside another repository's local worktree, an attacker can overwrite Git hooks (e.g., hooks/update) and achieve remote code execution as the git user.","cve_id":"CVE-2026-52813","package":{"name":"gogs/gogs","ecosystem":"github","affected_versions":"All versions before 0.14.3","fixed_version":"0.14.3"},"reproduced_at":"2026-07-01T20:38:41.803788+00:00","duration_secs":1794.0,"tool_calls":276,"handoffs":3,"total_cost_usd":7.492673170000003,"agent_costs":{"coding":0.5695754699999999,"judge":0.02086135,"repro":4.925288940000001,"support":0.0574689,"vuln_variant":1.91947851},"cost_breakdown":{"coding":{"accounts/fireworks/routers/glm-5p2-fast":0.5695754699999999},"judge":{"gpt-5.4-mini":0.02086135},"repro":{"accounts/fireworks/routers/glm-5p2-fast":4.925288940000001},"support":{"accounts/fireworks/routers/glm-5p2-fast":0.0574689},"vuln_variant":{"accounts/fireworks/routers/glm-5p2-fast":1.91947851}},"quality":{"confidence":"high","idempotent_verified":false,"community_verifications":0},"published_at":"2026-07-01T20:38:43.350722+00:00","retracted":false,"artifacts":[{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":19736,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":11610,"category":"analysis"},{"path":"bundle/vuln_variant/reproduction_steps.sh","filename":"reproduction_steps.sh","size":19991,"category":"reproduction_script"},{"path":"bundle/vuln_variant/rca_report.md","filename":"rca_report.md","size":18915,"category":"analysis"},{"path":"bundle/coding/proposed_fix.diff","filename":"proposed_fix.diff","size":2414,"category":"patch"},{"path":"bundle/repro/runtime_manifest.json","filename":"runtime_manifest.json","size":1365,"category":"other"},{"path":"bundle/repro/proof_summary.txt","filename":"proof_summary.txt","size":479,"category":"other"},{"path":"bundle/repro/rce_marker_vuln_1.txt","filename":"rce_marker_vuln_1.txt","size":243,"category":"other"},{"path":"bundle/repro/rce_marker_vuln_2.txt","filename":"rce_marker_vuln_2.txt","size":243,"category":"other"},{"path":"bundle/repro/validation_verdict.json","filename":"validation_verdict.json","size":1493,"category":"other"},{"path":"bundle/ticket.json","filename":"ticket.json","size":1113,"category":"other"},{"path":"bundle/ticket.md","filename":"ticket.md","size":716,"category":"ticket"},{"path":"bundle/logs/upload_vuln_1/first_page.log","filename":"first_page.log","size":15852,"category":"log"},{"path":"bundle/logs/upload_vuln_1/second_commit.log","filename":"second_commit.log","size":17,"category":"log"},{"path":"bundle/logs/upload_vuln_1/second_page.log","filename":"second_page.log","size":15852,"category":"log"},{"path":"bundle/logs/upload_vuln_1/first_commit.log","filename":"first_commit.log","size":17,"category":"log"},{"path":"bundle/logs/http_fixed_1.log.lpost","filename":"http_fixed_1.log.lpost","size":0,"category":"other"},{"path":"bundle/logs/http_fixed_2.log.lp","filename":"http_fixed_2.log.lp","size":7340,"category":"other"},{"path":"bundle/logs/git_fixed_2.log","filename":"git_fixed_2.log","size":1129,"category":"log"},{"path":"bundle/logs/upload_fixed_1/first_page.log","filename":"first_page.log","size":15795,"category":"log"},{"path":"bundle/logs/upload_fixed_1/first_commit.log","filename":"first_commit.log","size":17,"category":"log"},{"path":"bundle/logs/upload_fixed_2/first_page.log","filename":"first_page.log","size":15909,"category":"log"},{"path":"bundle/logs/upload_fixed_2/first_commit.log","filename":"first_commit.log","size":17,"category":"log"},{"path":"bundle/logs/state_fixed_1.log","filename":"state_fixed_1.log","size":5797,"category":"log"},{"path":"bundle/logs/gogs_fixed_2.log","filename":"gogs_fixed_2.log","size":4254,"category":"log"},{"path":"bundle/logs/http_fixed_1.log.lp","filename":"http_fixed_1.log.lp","size":7340,"category":"other"},{"path":"bundle/logs/gogs_fixed_1.log","filename":"gogs_fixed_1.log","size":4234,"category":"log"},{"path":"bundle/logs/http_vuln_1.log.lp","filename":"http_vuln_1.log.lp","size":7340,"category":"other"},{"path":"bundle/logs/http_fixed_2.log.lpost","filename":"http_fixed_2.log.lpost","size":0,"category":"other"},{"path":"bundle/logs/gogs_vuln_2.log","filename":"gogs_vuln_2.log","size":4929,"category":"log"},{"path":"bundle/logs/git_vuln_2.log","filename":"git_vuln_2.log","size":1302,"category":"log"},{"path":"bundle/logs/http_vuln_2.log","filename":"http_vuln_2.log","size":1754,"category":"log"},{"path":"bundle/logs/create_user_fixed_1.log","filename":"create_user_fixed_1.log","size":62,"category":"log"},{"path":"bundle/logs/upload_vuln_2/first_page.log","filename":"first_page.log","size":15795,"category":"log"},{"path":"bundle/logs/upload_vuln_2/second_commit.log","filename":"second_commit.log","size":17,"category":"log"},{"path":"bundle/logs/upload_vuln_2/second_page.log","filename":"second_page.log","size":15795,"category":"log"},{"path":"bundle/logs/upload_vuln_2/first_commit.log","filename":"first_commit.log","size":17,"category":"log"},{"path":"bundle/logs/gogs_vuln_1.log","filename":"gogs_vuln_1.log","size":4939,"category":"log"},{"path":"bundle/logs/git_fixed_1.log","filename":"git_fixed_1.log","size":1123,"category":"log"},{"path":"bundle/logs/http_fixed_1.log","filename":"http_fixed_1.log","size":1048,"category":"log"},{"path":"bundle/logs/create_user_vuln_2.log","filename":"create_user_vuln_2.log","size":62,"category":"log"},{"path":"bundle/logs/build_vuln.log","filename":"build_vuln.log","size":20,"category":"log"},{"path":"bundle/logs/http_vuln_1.log.lpost","filename":"http_vuln_1.log.lpost","size":0,"category":"other"},{"path":"bundle/logs/build_fixed.log","filename":"build_fixed.log","size":20,"category":"log"},{"path":"bundle/logs/state_vuln_1.log","filename":"state_vuln_1.log","size":9288,"category":"log"},{"path":"bundle/logs/git_vuln_1.log","filename":"git_vuln_1.log","size":1305,"category":"log"},{"path":"bundle/logs/state_vuln_2.log","filename":"state_vuln_2.log","size":9287,"category":"log"},{"path":"bundle/logs/http_fixed_2.log","filename":"http_fixed_2.log","size":1062,"category":"log"},{"path":"bundle/logs/reproduction_steps.log","filename":"reproduction_steps.log","size":2256,"category":"log"},{"path":"bundle/logs/create_user_vuln_1.log","filename":"create_user_vuln_1.log","size":63,"category":"log"},{"path":"bundle/logs/state_fixed_2.log","filename":"state_fixed_2.log","size":5799,"category":"log"},{"path":"bundle/logs/http_vuln_1.log","filename":"http_vuln_1.log","size":1761,"category":"log"},{"path":"bundle/logs/create_user_fixed_2.log","filename":"create_user_fixed_2.log","size":64,"category":"log"},{"path":"bundle/logs/http_vuln_2.log.lpost","filename":"http_vuln_2.log.lpost","size":0,"category":"other"},{"path":"bundle/logs/http_vuln_2.log.lp","filename":"http_vuln_2.log.lp","size":7340,"category":"other"},{"path":"bundle/vuln_variant/variant_manifest.json","filename":"variant_manifest.json","size":6727,"category":"other"},{"path":"bundle/vuln_variant/runtime_manifest.json","filename":"runtime_manifest.json","size":1165,"category":"other"},{"path":"bundle/vuln_variant/variant_proof_summary.txt","filename":"variant_proof_summary.txt","size":572,"category":"other"},{"path":"bundle/vuln_variant/findings_notes.txt","filename":"findings_notes.txt","size":2410,"category":"other"},{"path":"bundle/vuln_variant/rce_marker_vuln.txt","filename":"rce_marker_vuln.txt","size":255,"category":"other"},{"path":"bundle/vuln_variant/root_cause_equivalence.json","filename":"root_cause_equivalence.json","size":2829,"category":"other"},{"path":"bundle/vuln_variant/source_identity.json","filename":"source_identity.json","size":1815,"category":"other"},{"path":"bundle/vuln_variant/patch_analysis.md","filename":"patch_analysis.md","size":9102,"category":"documentation"},{"path":"bundle/vuln_variant/validation_verdict.json","filename":"validation_verdict.json","size":4768,"category":"other"},{"path":"bundle/logs/vv_state_fixed.log","filename":"vv_state_fixed.log","size":5972,"category":"log"},{"path":"bundle/logs/vv_state_vuln.log","filename":"vv_state_vuln.log","size":9497,"category":"log"},{"path":"bundle/logs/vv_http_vuln.log","filename":"vv_http_vuln.log","size":1754,"category":"log"},{"path":"bundle/logs/vv_http_fixed.log.lpost","filename":"vv_http_fixed.log.lpost","size":0,"category":"other"},{"path":"bundle/logs/vv_git_fixed.log","filename":"vv_git_fixed.log","size":1126,"category":"log"},{"path":"bundle/logs/vv_http_fixed.log.lp","filename":"vv_http_fixed.log.lp","size":7340,"category":"other"},{"path":"bundle/logs/vv_build_vuln.log","filename":"vv_build_vuln.log","size":20,"category":"log"},{"path":"bundle/logs/vv_create_user_vuln.log","filename":"vv_create_user_vuln.log","size":62,"category":"log"},{"path":"bundle/logs/vv_gogs_fixed.log","filename":"vv_gogs_fixed.log","size":4247,"category":"log"},{"path":"bundle/logs/vv_http_fixed.log","filename":"vv_http_fixed.log","size":1055,"category":"log"},{"path":"bundle/logs/vv_upload_fixed/first_page.log","filename":"first_page.log","size":15678,"category":"log"},{"path":"bundle/logs/vv_upload_fixed/first_commit.log","filename":"first_commit.log","size":17,"category":"log"},{"path":"bundle/logs/vuln_variant/fixed_version.txt","filename":"fixed_version.txt","size":325,"category":"other"},{"path":"bundle/logs/vuln_variant/vuln_version.txt","filename":"vuln_version.txt","size":396,"category":"other"},{"path":"bundle/logs/vv_build_fixed.log","filename":"vv_build_fixed.log","size":20,"category":"log"},{"path":"bundle/logs/vv_create_user_fixed.log","filename":"vv_create_user_fixed.log","size":63,"category":"log"},{"path":"bundle/logs/vv_http_vuln.log.lpost","filename":"vv_http_vuln.log.lpost","size":0,"category":"other"},{"path":"bundle/logs/vv_git_vuln.log","filename":"vv_git_vuln.log","size":1303,"category":"log"},{"path":"bundle/logs/vv_upload_vuln/first_page.log","filename":"first_page.log","size":15621,"category":"log"},{"path":"bundle/logs/vv_upload_vuln/second_commit.log","filename":"second_commit.log","size":17,"category":"log"},{"path":"bundle/logs/vv_upload_vuln/second_page.log","filename":"second_page.log","size":15621,"category":"log"},{"path":"bundle/logs/vv_upload_vuln/first_commit.log","filename":"first_commit.log","size":17,"category":"log"},{"path":"bundle/logs/vv_gogs_vuln.log","filename":"vv_gogs_vuln.log","size":4932,"category":"log"},{"path":"bundle/logs/vuln_variant_steps.log","filename":"vuln_variant_steps.log","size":1901,"category":"log"},{"path":"bundle/logs/vv_http_vuln.log.lp","filename":"vv_http_vuln.log.lp","size":7340,"category":"other"},{"path":"bundle/coding/summary_report.md","filename":"summary_report.md","size":7824,"category":"documentation"},{"path":"bundle/coding/verify_fix.sh","filename":"verify_fix.sh","size":6398,"category":"other"}]}