Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Gogs: Malicious Tag Names Can Crash Release Deletion
CVE-2026-26194
GHSA-v9vm-r24h-6rqm
Summary
Deleting a release in Gogs can fail or behave unexpectedly if a user-controlled tag name starts with a dash, potentially causing a denial of service in release cleanup workflows. This issue affects users who can delete releases, and administrators should update the code to properly handle Git commands and user input to prevent this issue. To fix, use the safe git-module deletion helper or add the end-of-options separator to Git commands.
What to do
- Update gogs.io gogs to version 0.14.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gogs.io | gogs | <= 0.14.1 | 0.14.2 |
| gogs | gogs | <= 0.14.2 | – |
Original title
Gogs: Release tag option injection in release deletion
Original description
### Summary
There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process.
### Affected Component
- internal/database/release.go
`process.ExecDir(..., "git", "tag", "-d", rel.TagName)`
### Details
`rel.TagName` is used as a CLI argument to `git tag -d` without `--` or `--end-of-options`.
If the tag name begins with `-`, Git parses it as a flag.
The prior mitigation is incomplete. There is path sanitization in place during creation:
- internal/database/release.go
`r.TagName = strings.TrimLeft(r.TagName, "-")`
But it only covers one creation path and does not reliably protect tag deletions, such as tags added through `git push` or ref updates.
**Exploit Conditions**
1. An attacker can add a tag name that starts with a dash into the repository.
2. A user with permission to delete releases triggers it through the web UI or API.
### Recommended Fix
1. Add end-of-options in release deletion:
- `git tag -d -- <tagName>`
2. It is better to use the safe git-module deletion helper since it handles options properly.
3. All Git commands should be audited for user input, ensuring that the end-of-options separator is always used.
### Impact
- Option injection into `git tag -d`
- Tag/release deletion can fail or behave unexpectedly
- Operational denial of service in release cleanup workflows
- Potential release metadata inconsistency
There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process.
### Affected Component
- internal/database/release.go
`process.ExecDir(..., "git", "tag", "-d", rel.TagName)`
### Details
`rel.TagName` is used as a CLI argument to `git tag -d` without `--` or `--end-of-options`.
If the tag name begins with `-`, Git parses it as a flag.
The prior mitigation is incomplete. There is path sanitization in place during creation:
- internal/database/release.go
`r.TagName = strings.TrimLeft(r.TagName, "-")`
But it only covers one creation path and does not reliably protect tag deletions, such as tags added through `git push` or ref updates.
**Exploit Conditions**
1. An attacker can add a tag name that starts with a dash into the repository.
2. A user with permission to delete releases triggers it through the web UI or API.
### Recommended Fix
1. Add end-of-options in release deletion:
- `git tag -d -- <tagName>`
2. It is better to use the safe git-module deletion helper since it handles options properly.
3. All Git commands should be audited for user input, ensuring that the end-of-options separator is always used.
### Impact
- Option injection into `git tag -d`
- Tag/release deletion can fail or behave unexpectedly
- Operational denial of service in release cleanup workflows
- Potential release metadata inconsistency
nvd CVSS3.1
7.3
nvd CVSS4.0
8.8
Vulnerability type
CWE-88
- https://github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2d Patch
- https://github.com/gogs/gogs/pull/8175 Issue Tracking
- https://github.com/gogs/gogs/releases/tag/v0.14.2 Release Notes
- https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm Exploit Vendor Advisory Mitigation
- https://nvd.nist.gov/vuln/detail/CVE-2026-26194
- https://github.com/advisories/GHSA-v9vm-r24h-6rqm
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026