{
  "claim_outcome": "confirmed",
  "claim_block_reason": null,
  "variant_result": "alternate_trigger_confirmed_not_bypass",
  "variant_summary": "Distinct alternate trigger found: the CVE-2026-52813 path-traversal -> RCE chain is reachable on Gogs v0.14.2 through the NON-ADMIN self-service endpoint POST /api/v1/user/orgs (org.CreateMyOrg, reqToken() only, api.CreateOrgOption with no AlphaDashDot), by an authenticated user with is_admin=0. Same root cause (repoutil.UserPath does not pathutil.Clean the owner name) and same sink (bare repo outside repository ROOT inside another repo's local worktree; executable post-update hook planted via Git smart-HTTP + web-upload sync; git-receive-pack executes the hook as the Gogs user -> RCE). This lowers the required privilege versus the original admin-based reproduction, matching the parent RCA's 'low-privileged authenticated user' claim.",
  "is_bypass": false,
  "bypass_reason": "On the fixed Gogs v0.14.3 (commit 3ba8aca90e17e5410b7e8b227c9f29256ac3e875), CreateOrgForUser (internal/route/api/v1/org/org.go) validates the org name inline with binding.AlphaDashDotPattern and MaxSize(35), returning HTTP 422 for the traversal name; repoutil.UserPath additionally applies pathutil.Clean. The same variant run on v0.14.3 produced org_create_status=422, nested_repo_exists=no, rce_triggered=no. Therefore the variant does NOT reproduce on the fixed version and is not a bypass.",
  "vulnerable_version_reproduced": true,
  "fixed_version_blocked": true,
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "code_execution",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "Organization (owner) name containing ../ path-traversal sequences supplied via POST /api/v1/user/orgs (api.CreateOrgOption.username, no AlphaDashDot) by a non-admin authenticated user; plus an executable Git hook pushed through Gogs Git smart-HTTP.",
  "trigger_path": "Non-admin POST /api/v1/user/orgs (CreateMyOrg) -> CreateOrgForUser (no inline validation on v0.14.2) -> CreateOrganization -> repoutil.UserPath (no pathutil.Clean on v0.14.2) -> traversal org dir at <APP_DATA_PATH>/tmp/local-r/<wid>/nested (outside repository ROOT, inside writer worktree) -> POST /api/v1/org/<enc>/repos -> nested bare repo -> executable post-update planted via Git smart-HTTP + web-upload sync -> git-receive-pack runs hook as Gogs user (RCE). Fixed v0.14.3: inline AlphaDashDot (422) + pathutil.Clean.",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": true,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": "Gogs v0.14.3: inline AlphaDashDot validation in CreateOrgForUser (HTTP 422) + pathutil.Clean in repoutil.UserPath. Both admin and non-admin v1 org-creation endpoints are covered (both route through CreateOrgForUser).",
  "secondary_findings": {
    "defense_in_depth_gap": "database.RepoPath (internal/database/repo.go:1356, deprecated) and database.WikiPath (internal/database/wiki.go:54) do not apply pathutil.Clean to the repository name (only strings.ToLower), unlike the hardened repoutil.RepositoryPath. Used by MigrateRepository (repo.go:808-809). Currently NOT exploitable because every repository-name entry point (form.CreateRepo, form.MigrateRepo, form.RepoSetting, api.CreateRepoOption) enforces AlphaDashDot (blocks '/'). Recommend hardening RepoPath/WikiPath or removing them.",
    "gap_reachable": false,
    "gap_tested": true
  },
  "search_exhaustiveness": "All org-name and repo-name entry points inspected: v1 API org create (admin + non-admin, both via CreateOrgForUser), web org create (form.CreateOrg, AlphaDashDot), v1 API repo create/migrate (api.CreateRepoOption/form.MigrateRepo, AlphaDashDot), web repo create/migrate/rename (form.CreateRepo/MigrateRepo/RepoSetting, AlphaDashDot), repo fork (form.CreateRepo, AlphaDashDot), user create/rename (UserPath cleaned). The only endpoints without AlphaDashDot on the name are the org-creation endpoints (api.CreateOrgOption), which reach UserPath (cleaned on v0.14.3) and are inline-validated on v0.14.3. No true bypass of v0.14.3 found.",
  "inferred": false,
  "runtime_evidence": {
    "vuln_org_create_status": "201",
    "vuln_repo_create_status": "201",
    "vuln_nested_repo_exists": "yes",
    "vuln_hook_planted": "yes",
    "vuln_rce_triggered": "yes",
    "vuln_is_admin": "0",
    "fixed_org_create_status": "422",
    "fixed_nested_repo_exists": "no",
    "fixed_rce_triggered": "no",
    "fixed_is_admin": "0",
    "marker_file": "bundle/vuln_variant/rce_marker_vuln.txt",
    "proof_summary": "bundle/vuln_variant/variant_proof_summary.txt"
  }
}
