diff --git a/rules-emerging-threats/2026/Exploits/CVE-2026-52806/proc_creation_lnx_exploit_cve_2026_52806.yml b/rules-emerging-threats/2026/Exploits/CVE-2026-52806/proc_creation_lnx_exploit_cve_2026_52806.yml new file mode 100644 index 00000000000..71df092cf03 --- /dev/null +++ b/rules-emerging-threats/2026/Exploits/CVE-2026-52806/proc_creation_lnx_exploit_cve_2026_52806.yml @@ -0,0 +1,46 @@ +title: Potential CVE-2026-52806 Exploitation - Gogs Rebase Argument Injection RCE +id: c1c6a4a7-9795-5282-80c7-11da044740ae +status: experimental +description: | + Detects exploitation of CVE-2026-52806, an authenticated argument-injection remote code execution + (CWE-88, CVSSv4 9.4) in Gogs. A pull request with a malicious base-branch name injects an --exec flag + into the git rebase that Gogs runs during "Rebase before merging". Because the base branch name is passed + to git rebase without a -- separator, a branch named like --exec= is interpreted by git as a flag and + the command runs via sh -c as the Gogs server user. Any authenticated user can exploit it; on instances + with open registration (the default) that means any user. A public Metasploit module exists + (multi/http/gogs_rebase_rce). Fixed in Gogs 0.14.3. The 0-FP discriminator is the parent process: the + exploit launches git rebase from the Gogs server process, whereas a legitimate git rebase --exec from a + developer shell or CI runner has a non-gogs parent and does not match. +references: + - https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/ + - https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html + - https://github.com/gogs/gogs/pull/8301 +author: WRG-11 +date: 2026-06-01 +modified: 2026-06-12 +tags: + - attack.execution + - attack.initial-access + - attack.t1059 + - attack.t1190 + - detection.emerging-threats + - cve.2026-52806 +logsource: + category: process_creation + product: linux +detection: + selection_git_rebase: + Image|endswith: '/git' + CommandLine|contains: 'rebase' + selection_exec_injection: + CommandLine|contains: + - '--exec' + - ' -x ' + selection_gogs_parent: + ParentImage|endswith: '/gogs' + condition: selection_git_rebase and selection_exec_injection and selection_gogs_parent +falsepositives: + - A deployment that intentionally runs 'git rebase --exec' as the Gogs service user (for example + a scripted maintenance task); add a CommandLine allowlist for that specific command after + field-testing. +level: critical