DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26194: CVE-2026-26194: Command Option Injection in Gogs Release Deletion

#security #cve #cybersecurity

CVE-2026-26194: Command Option Injection in Gogs Release Deletion

Vulnerability ID: CVE-2026-26194
CVSS Score: 8.8
Published: 2026-03-05

A high-severity command option injection vulnerability exists in the Gogs self-hosted Git service prior to version 0.14.2. The flaw resides in the DeleteReleaseOfRepoByID function, where user-supplied Git tag names are passed directly to a system shell command without adequate sanitization or argument separation. This allows an attacker to inject arbitrary flags into the underlying git binary execution, potentially leading to Denial of Service (DoS) or unauthorized information disclosure.

TL;DR

Gogs failed to properly sanitize Git tag names during release deletion, allowing attackers to inject command-line flags into the git tag -d execution. This can cause service crashes or information leaks. Fixed in version 0.14.2.

Technical Details

  • CWE ID: CWE-88
  • Vulnerability Type: Command Option Injection
  • CVSS v4.0: 8.8 (High)
  • Attack Vector: Network
  • Exploit Status: None / PoC
  • Remediation: Upgrade to v0.14.2

Affected Systems

  • Gogs (Self-hosted Git Service)
  • Gogs: < 0.14.2 (Fixed in: 0.14.2)

Code Analysis

Commit: a000f0c

Fix execution of git tag deletion by using safe git-module abstraction

--- a/internal/database/release.go
+++ b/internal/database/release.go
@@ -359,11 +358,13 @@
-   _, stderr, err := process.ExecDir(-1, repo.RepoPath(),
-       fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID),
-       "git", "tag", "-d", rel.TagName)
-   if err != nil && !strings.Contains(stderr, "not found") {
-       return errors.Newf("git tag -d: %v - %s", err, stderr)
+   gitRepo, err := git.Open(repo.RepoPath())
+   if err != nil {
+       return errors.Newf("open repository: %v", err)
    }
+   err = gitRepo.DeleteTag(rel.TagName)
+   if err != nil && !strings.Contains(err.Error(), "not found") {
+       return errors.Newf("delete tag: %v", err)
+   }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Software Upgrade
  • Input Validation
  • Access Control

Remediation Steps:

  1. Upgrade Gogs immediately to version 0.14.2 or later.
  2. If upgrading is not immediately possible, implement a pre-receive hook in the Git repositories to reject tag pushes that start with a hyphen (-).
  3. Audit existing repositories for tags starting with hyphens and remove them manually using safe Git commands (e.g., git tag -d -- <tagname>).

References

Read the full report for CVE-2026-26194 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)