CVE-2026-26194
Published: 05 March 2026
Summary
CVE-2026-26194 is a high-severity Argument Injection (CWE-88) vulnerability in Gogs Gogs. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-26194 is an argument injection vulnerability (CWE-88) in Gogs, an open source self-hosted Git service. In versions prior to 0.14.2, the release deletion functionality passes a user-controlled tag name to a Git command without proper separation of arguments. This allows attackers to inject Git options into the command, potentially disrupting or manipulating the underlying Git process. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H), indicating high severity due to impacts on integrity and availability.
An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by supplying a malicious tag name during release deletion, though it requires user interaction (UI:R), such as tricking an administrator into performing the action. Successful exploitation enables injection of Git options, which can alter the command's behavior, leading to high integrity (I:H) and availability (A:H) impacts, such as process disruption, unauthorized Git operations, or potential escalation depending on the injected options and environment.
The issue has been addressed in Gogs version 0.14.2, where the patch properly handles argument separation in the release deletion command. Security practitioners should upgrade to v0.14.2 or later, as detailed in the GitHub security advisory (GHSA-v9vm-r24h-6rqm), the fixing commit (a000f0c7a632ada40e6829abdeea525db4c0fc2d), pull request #8175, and the release notes. No workarounds are specified beyond updating.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9852
Vulnerability details
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets…
more
git options get injected and mess with the process. This issue has been patched in version 0.14.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Argument injection in network-accessible Gogs web app directly enables exploitation of a public-facing application (T1190) to manipulate Git operations and impact integrity/availability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation and sanitization of the user-controlled tag name to block argument injection into the Git command.
Requires timely application of the vendor patch (v0.14.2) that enforces proper argument separation during release deletion.
Verifies integrity of the Gogs binary and configuration to detect unauthorized changes that could enable or exploit the injection flaw.