CVE-2026-52813 variant analysis findings ======================================== Fix commit: f6acd467305943aae8403cbac81f0118dd1235d7 (PR #8334), released v0.14.3 - repoutil.UserPath/RepositoryPath now wrap owner+repo with pathutil.Clean - v1 org create: inline AlphaDashDot validation in CreateOrgForUser (api.CreateOrgOption lives in external module, can't carry binding tags) -> rejects ../, /, etc. (422) pathutil.Clean(p) = strings.Trim(path.Clean("/"+p), "/") -> robustly neutralizes .. So UserPath/RepositoryPath block owner+repo traversal at the PATH level on v0.14.3. GAP (defense-in-depth, NOT reachable): - database.RepoPath (repo.go:1356, deprecated) and database.WikiPath (wiki.go:54) call repoutil.UserPath(owner) [cleans owner] but do NOT pathutil.Clean the REPO NAME (only strings.ToLower). Used by MigrateRepository (repo.go:808-809) -> git clone --mirror. - BUT every repo-NAME entry point has AlphaDashDot binding (blocks '/'): form.CreateRepo.RepoName, form.MigrateRepo.RepoName, form.RepoSetting.RepoName, api.CreateRepoOption.Name -> all "Required;AlphaDashDot;MaxSize(100)". AlphaDashDotPattern = [^\d\w-_\.] -> rejects '/' and '\'. - So repo-name traversal is NOT reachable on v0.14.2 OR v0.14.3. Gap is theoretical. VARIANT (alternate trigger, NOT a bypass): - POST /api/v1/user/orgs (CreateMyOrg, reqToken only -> NON-ADMIN) binds api.CreateOrgOption (UserName binding:"Required" only, NO AlphaDashDot) -> CreateOrgForUser -> CreateOrganization -> repoutil.UserPath(org.Name). - v0.14.2: CreateOrgForUser has NO inline validation; UserPath has no pathutil.Clean -> traversal org name accepted -> SAME RCE chain as repro but via NON-ADMIN endpoint. (Repro used admin POST /api/v1/admin/users/:user/orgs; this proves ANY authenticated user can do it -> matches RCA "low-privileged authenticated user" claim.) - v0.14.3: CreateOrgForUser inline AlphaDashDot rejects (422) + UserPath cleans. FIXED. Local copy worktree path = data/tmp/local-r/ (Repository.LocalCopyPath() repo.go:648, uses "local-r" on BOTH v0.14.2 and v0.14.3). repoutil.RepositoryLocalPath uses "local-repo" but is NOT used by the actual UpdateLocalCopyBranch sync. Verdict: alternate-trigger variant confirmed on vulnerable (non-admin entry point); NOT a bypass of v0.14.3 (fixed by inline AlphaDashDot + pathutil.Clean). No true bypass of the fixed version found.