Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-26194

Gogs: Release tag option injection in release deletion
Back to all
CVE

CVE-2026-26194

Gogs: Release tag option injection in release deletion

Summary

There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process.

Affected Component

  • internal/database/release.go

    process.ExecDir(..., "git", "tag", "-d", rel.TagName)

Details

  rel.TagName is used as a CLI argument to git tag -d without -- or --end-of-options.

  If the tag name begins with -, Git parses it as a flag.

  The prior mitigation is incomplete. There is path sanitization in place during creation:

  • internal/database/release.go

    r.TagName = strings.TrimLeft(r.TagName, "-")

  But it only covers one creation path and does not reliably protect tag deletions, such as tags added through git push or ref updates.

Exploit Conditions

  1. An attacker can add a tag name that starts with a dash into the repository.
  2. A user with permission to delete releases triggers it through the web UI or API.

Recommended Fix

  1. Add end-of-options in release deletion:
    • git tag -d -- <tagName>
  2. It is better to use the safe git-module deletion helper since it handles options properly.
  3. All Git commands should be audited for user input, ensuring that the end-of-options separator is always used.

Impact

  • Option injection into git tag -d
  • Tag/release deletion can fail or behave unexpectedly
  • Operational denial of service in release cleanup workflows
  • Potential release metadata inconsistency

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.8
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
8.2
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Related Resources

No items found.

References

https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm, https://nvd.nist.gov/vuln/detail/CVE-2026-26194, https://github.com/gogs/gogs/pull/8175, https://github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2d, https://github.com/gogs/gogs, https://github.com/gogs/gogs/releases/tag/v0.14.2

Severity

8.2

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.2
EPSS Probability
0.00051%
EPSS Percentile
0.16055%
Introduced Version
0,v0.14.0-rc.1,v0.0.0-20240219003941-3650b32ec586,v0.12.0,v0.0.0-20191024085146-01c8df01ec06,v0.9.113,v0.0.0-20161223005830-03f7f3ee67f9,v0.0.0-20161223003506-f471ef1bc7b5,v0.7.19,v0.0.0-20151120073841-987dcc537299
Fix Available
0.14.2,v0.14.2-rc.1,v0.0.0-20260213022444-a000f0c7a632

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading