CVE-2026-26194
Published: 05 March 2026
Summary
CVE-2026-26194 is a high-severity Argument Injection (CWE-88) vulnerability in Gogs Gogs. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Argument injection in network-accessible Gogs web app directly enables exploitation of a public-facing application (T1190) to manipulate Git operations and impact integrity/availability.
NVD Description
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets…
more
git options get injected and mess with the process. This issue has been patched in version 0.14.2.
Deeper analysisAI
CVE-2026-26194 is an argument injection vulnerability (CWE-88) in Gogs, an open source self-hosted Git service. In versions prior to 0.14.2, the release deletion functionality passes a user-controlled tag name to a Git command without proper separation of arguments. This allows attackers to inject Git options into the command, potentially disrupting or manipulating the underlying Git process. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H), indicating high severity due to impacts on integrity and availability.
An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by supplying a malicious tag name during release deletion, though it requires user interaction (UI:R), such as tricking an administrator into performing the action. Successful exploitation enables injection of Git options, which can alter the command's behavior, leading to high integrity (I:H) and availability (A:H) impacts, such as process disruption, unauthorized Git operations, or potential escalation depending on the injected options and environment.
The issue has been addressed in Gogs version 0.14.2, where the patch properly handles argument separation in the release deletion command. Security practitioners should upgrade to v0.14.2 or later, as detailed in the GitHub security advisory (GHSA-v9vm-r24h-6rqm), the fixing commit (a000f0c7a632ada40e6829abdeea525db4c0fc2d), pull request #8175, and the release notes. No workarounds are specified beyond updating.
Details
- CWE(s)