Cyber Resilience

CVE-2026-26194

HighPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26194 is a high-severity Argument Injection (CWE-88) vulnerability in Gogs Gogs. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26194 is an argument injection vulnerability (CWE-88) in Gogs, an open source self-hosted Git service. In versions prior to 0.14.2, the release deletion functionality passes a user-controlled tag name to a Git command without proper separation of arguments. This allows attackers to inject Git options into the command, potentially disrupting or manipulating the underlying Git process. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H), indicating high severity due to impacts on integrity and availability.

An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by supplying a malicious tag name during release deletion, though it requires user interaction (UI:R), such as tricking an administrator into performing the action. Successful exploitation enables injection of Git options, which can alter the command's behavior, leading to high integrity (I:H) and availability (A:H) impacts, such as process disruption, unauthorized Git operations, or potential escalation depending on the injected options and environment.

The issue has been addressed in Gogs version 0.14.2, where the patch properly handles argument separation in the release deletion command. Security practitioners should upgrade to v0.14.2 or later, as detailed in the GitHub security advisory (GHSA-v9vm-r24h-6rqm), the fixing commit (a000f0c7a632ada40e6829abdeea525db4c0fc2d), pull request #8175, and the release notes. No workarounds are specified beyond updating.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets…

more

git options get injected and mess with the process. This issue has been patched in version 0.14.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Argument injection in network-accessible Gogs web app directly enables exploitation of a public-facing application (T1190) to manipulate Git operations and impact integrity/availability.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64175Same product: Gogs Gogs
CVE-2025-64111Same product: Gogs Gogs
CVE-2025-8110Same product: Gogs Gogs
CVE-2026-25921Same product: Gogs Gogs
CVE-2026-25232Same product: Gogs Gogs
CVE-2026-26276Same product: Gogs Gogs
CVE-2026-25242Same product: Gogs Gogs
CVE-2026-24135Same product: Gogs Gogs
CVE-2026-26022Same product: Gogs Gogs
CVE-2026-44193Shared CWE-88

Affected Assets

gogs
gogs
≤ 0.14.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation and sanitization of the user-controlled tag name to block argument injection into the Git command.

prevent

Requires timely application of the vendor patch (v0.14.2) that enforces proper argument separation during release deletion.

detect

Verifies integrity of the Gogs binary and configuration to detect unauthorized changes that could enable or exploit the injection flaw.

References