Summary
Gogs has the ability to import local repositories via Mirror Settings
Advisory details
Summary
The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function.
Details
Here is the function implementation of the secure New Migration functionality.
Here is the function implementation of the Mirror Settings without any validation.
PoC
The New Migration feature correctly blocked my attempt to import a local repository.
But if I create a normal migration with a valid repository.
Then, I could use the Mirror Settings feature under the Repository Settings sync a local repository.
Here is the result after the sync.
Impact
Users can import local repositories from the server's filesystem, which allows accessing any repository the git user has access to. There is also a potential issue of blind SSRF.
References
Related vulnerabilities
All Supply chain →- HIGHCVE-2026-33692
AVideo Vulnerable to Unauthenticated .env File Exposure via Official Docker Compose Configuration
- HIGHCVE-2026-21887
OpenCTI has Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature
- MEDIUMCVE-2025-64719
Gogs has a Denial of Service in repository/wiki file listing web pages
- HIGHCVE-2026-52800
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
- HIGHCVE-2026-52799
Gogs Missing Authorization in Attachment Download
- HIGHCVE-2026-52798
Gogs has Stored XSS in `.ipynb` Preview