GHSA-V9VM-R24H-6RQM

Vulnerability from github – Published: 2026-03-05 19:29 – Updated: 2026-03-05 22:28
VLAI?
Summary
Gogs: Release tag option injection in release deletion
Details

Summary

There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process.

Affected Component

  • internal/database/release.go process.ExecDir(..., "git", "tag", "-d", rel.TagName)

Details

rel.TagName is used as a CLI argument to git tag -d without -- or --end-of-options. If the tag name begins with -, Git parses it as a flag.

The prior mitigation is incomplete. There is path sanitization in place during creation:

  • internal/database/release.go r.TagName = strings.TrimLeft(r.TagName, "-")

But it only covers one creation path and does not reliably protect tag deletions, such as tags added through git push or ref updates.

Exploit Conditions 1. An attacker can add a tag name that starts with a dash into the repository. 2. A user with permission to delete releases triggers it through the web UI or API.

Recommended Fix

  1. Add end-of-options in release deletion:
    • git tag -d -- <tagName>
  2. It is better to use the safe git-module deletion helper since it handles options properly.
  3. All Git commands should be audited for user input, ensuring that the end-of-options separator is always used.

Impact

  • Option injection into git tag -d
  • Tag/release deletion can fail or behave unexpectedly
  • Operational denial of service in release cleanup workflows
  • Potential release metadata inconsistency
Severity ?
8.8 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.14.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T19:29:44Z",
    "nvd_published_at": "2026-03-05T19:16:03Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThere is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process.\n\n### Affected Component\n\n  - internal/database/release.go\n    `process.ExecDir(..., \"git\", \"tag\", \"-d\", rel.TagName)`\n\n### Details\n\n  `rel.TagName` is used as a CLI argument to `git tag -d` without `--` or `--end-of-options`.\n  If the tag name begins with `-`, Git parses it as a flag.\n\n  The prior mitigation is incomplete. There is path sanitization in place during creation:\n\n  - internal/database/release.go\n    `r.TagName = strings.TrimLeft(r.TagName, \"-\")`\n\n  But it only covers one creation path and does not reliably protect tag deletions, such as tags added through `git push` or ref updates.\n\n**Exploit Conditions**\n1. An attacker can add a tag name that starts with a dash into the repository.\n2. A user with permission to delete releases triggers it through the web UI or API.\n\n### Recommended Fix\n\n1. Add end-of-options in release deletion:\n      - `git tag -d -- \u003ctagName\u003e`\n2. It is better to use the safe git-module deletion helper since it handles options properly.\n3. All Git commands should be audited for user input, ensuring that the end-of-options separator is always used.\n\n### Impact\n  - Option injection into `git tag -d`\n  - Tag/release deletion can fail or behave unexpectedly\n  - Operational denial of service in release cleanup workflows\n  - Potential release metadata inconsistency",
  "id": "GHSA-v9vm-r24h-6rqm",
  "modified": "2026-03-05T22:28:40Z",
  "published": "2026-03-05T19:29:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26194"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs: Release tag option injection in release deletion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.