CVE-2026-52813 VARIANT — non-admin org creation (POST /api/v1/user/orgs) vulnerable_commit=5dcb6c64bdf61e38dbdbb941c1d69789c560d0fb (v0.14.2) fixed_commit=3ba8aca90e17e5410b7e8b227c9f29256ac3e875 (v0.14.3) entrypoint=POST /api/v1/user/orgs (org.CreateMyOrg, reqToken only, NON-ADMIN) vuln_nonadmin_rce=1 # 1 = traversal org accepted (201) + nested repo outside ROOT + executable hook planted + RCE marker written, by a NON-ADMIN user fixed_blocked=1 # 1 = traversal org rejected (422), no nested repo, no RCE bypass=no observed_impact=code_execution