CVE-2026-23633 – This vulnerability in Gogs allows attackers to ... (How to Fix)

Q: What is the severity of CVE-2026-23633?

CVE-2026-23633 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Gogs allows attackers to read or write arbitrary files on the server through path traversal in Git hook editing functionality. Attackers can potentially access sensitive configuration files, source code, or system files. All Gogs instances running vulnerable versions are affected.

📋 TL;DR

This vulnerability in Gogs allows attackers to read or write arbitrary files on the server through path traversal in Git hook editing functionality. Attackers can potentially access sensitive configuration files, source code, or system files. All Gogs instances running vulnerable versions are affected.

💻 Affected Systems

Products:

Gogs

Versions: 0.13.3 and prior

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Gogs installations with Git hook editing enabled are vulnerable. The vulnerability requires authenticated access to edit hooks.

📦 What is this software?

Gogs by Gogs

View all CVEs affecting Gogs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through arbitrary file write leading to remote code execution, or sensitive data exposure through arbitrary file read.

🟠

Likely Case

Unauthorized access to sensitive files like configuration files, SSH keys, or source code repositories.

🟢

If Mitigated

Limited impact if proper access controls and network segmentation are in place, though file system access remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access to edit Git hooks. The path traversal vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.13.4 or 0.14.0+dev

Vendor Advisory: https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g

Restart Required: Yes

Instructions:

1. Backup your Gogs data and configuration. 2. Stop the Gogs service. 3. Update to version 0.13.4 or later. 4. Restart the Gogs service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable Git hook editing

all

Temporarily disable Git hook editing functionality to prevent exploitation

Modify Gogs configuration to disable hook editing in app.ini: [repository] ENABLE_GIT_HOOK_EDIT = false

Restrict user permissions

all

Limit which users can edit repository hooks

Review and restrict repository permissions in Gogs admin panel

🧯 If You Can't Patch

Implement strict network access controls to limit Gogs access to trusted users only
Enable detailed logging and monitoring for Git hook modification activities

🔍 How to Verify

Check if Vulnerable:

Check Gogs version via web interface or configuration file. Versions 0.13.3 and earlier are vulnerable.

Check Version:

Check Gogs web interface dashboard or examine VERSION file in installation directory

Verify Fix Applied:

Verify Gogs version is 0.13.4 or later after update.

📡 Detection & Monitoring

Log Indicators:

Unusual Git hook modification patterns
Path traversal attempts in hook edit requests
Multiple failed hook edit attempts

Network Indicators:

Unusual file access patterns from Gogs server
Outbound connections to unexpected destinations after hook edits

SIEM Query:

source="gogs" AND (event="hook_edit" OR event="hook_update") AND (path CONTAINS ".." OR path CONTAINS "/etc" OR path CONTAINS "/root")

📊 Metadata

CVE ID: CVE-2026-23633

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-22

EPSS Score: 0.07% exploit probability (20th percentile)

Published: February 6, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23633, you might also want to check these: