UPDATE: Gogs CVE-2026-52806 moves from "no observed exploitation" to active cryptojacking campaign

UPDATE (originally covered 2026-06-20): When this brief first covered the Gogs argument-injection RCE CVE-2026-52806 (branch name injects --exec into git rebase; fixed in 0.14.3 on 2026-06-07), exploitation status was not observed. Wiz Threat Research now reports the flaw under active in-the-wild exploitation: a cryptojacking campaign active 2026-06-13–23 chained Gogs and Argo Workflows vulnerabilities for initial access, compromised thousands of Linux hosts, and pivoted across more than 300 additional Kubernetes nodes (Wiz Threat Research, 2026-06-28). The new development is the exploitation, not the bug — the CVE mechanics and patch were covered on 2026-06-20.

Per Wiz, once on a node the operators stole Kubernetes service-account tokens and used them to schedule workloads cluster-wide, then escaped to host via privileged containers to deploy cryptominers; Wiz designates the actor "Unknown" and names the C2 framework "Realm C2." The Gogs argument-injection vector is the same one documented by Rapid7 — an authenticated (effectively unauthenticated on default open-registration instances) RCE via a malicious pull-request branch name during a "rebase before merging" operation (Rapid7 Labs). ATT&CK chain as reported: T1190 (exploit public-facing Argo Workflows / Gogs) → T1078.004 (stolen K8s service-account tokens) → T1610 (deploy container) → T1611 (escape to host) → T1496 (resource hijacking).

Defender delta since 2026-06-20: the patch urgency is now exploitation-driven, not advisory-driven. If self-hosted Gogs is still below 0.14.3, prioritise the upgrade and disable open self-registration (DISABLE_REGISTRATION = true). Hunt K8s API-server audit logs for create on workflows.argoproj.io and on pods from unexpected service accounts, git rebase child processes spawned by the Gogs service user, and privileged-container/nsenter activity. Enforce Pod Security Admission (restricted) and audit RBAC to remove default service accounts with node-escalation rights. Scope/attribution figures (thousands of hosts, 300+ nodes, "Realm C2") are Wiz's single-source assessment — see § 7.