CybersecurityNewswireTechnology

Critical Gogs RCE Bug Enables Code Execution for Any Authenticated User

Originally published on: May 30, 2026
▼ Summary

– A critical, unpatched vulnerability (CVSS 9.4) in the Gogs Git service allows any authenticated user to achieve remote code execution by injecting the `–exec` flag into a `git rebase` operation via a malicious pull request branch name.
– The attack does not require admin privileges or user interaction; any registered user can create a repository, enable rebase merging, and execute the exploit chain alone.
– Successful exploitation can lead to server compromise, access to all repositories, credential dumping, lateral movement, cross-tenant data breaches, and code tampering.
– The flaw affects all supported platforms (Windows, Linux, macOS), and there are an estimated 1,141 internet-facing Gogs instances, with many more behind internal networks.
– In lieu of a patch, mitigations include restricting user registration and repository creation in the configuration, and auditing rebase merge settings.

A critical security vulnerability has been uncovered in Gogs, the widely used open-source, self-hosted Git service. The flaw enables any authenticated user to execute arbitrary code on a server under specific conditions, posing a serious risk to deployments worldwide.

Security firm Rapid7 has assigned this bug a severity rating of 9.4 out of 10 on the CVSS scale, yet it currently lacks a CVE identifier. The issue was detailed by researcher Jonah Burgess, who explained that the exploit hinges on a malicious pull request. By crafting a branch name that injects the `–exec` flag into the `git rebase` command during the “Rebase before merging” operation, an attacker can achieve remote code execution (RCE).

Rebasing is a standard Git operation used to replay commits from one branch onto another, creating a linear project history. Unlike merging, rebasing rewrites commit history. Crucially, the `git rebase` command accepts a shell command via the `–exec` flag, which runs after each replayed commit. This feature becomes the attack vector.

A particularly alarming aspect of this vulnerability is that it requires no admin privileges and no interaction from other users. Any unauthenticated attacker can simply create an account and a repository on a default-configured instance. “Any registered user who creates a repo is automatically its owner,” Burgess noted. “From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user.”

Alternatively, if a user already has write access to a repository where rebase merging is enabled, they can exploit the flaw directly. On instances where repository creation is restricted, the attacker must have write access to any repository with rebase merging turned on.

As of now, the vulnerability remains unpatched, despite being reported to the Gogs maintainer on March 17, 2026. Successful exploitation could allow an attacker to breach the server, access every repository, dump credentials, move laterally to other network-accessible systems, and tamper with any hosted code. This could also lead to a cross-tenant data breach, enabling the attacker to read private repositories belonging to other users on the same shared server.

Rapid7 has confirmed that the flaw affects all supported platforms, including Windows, Linux, and macOS. While an estimated 1,141 Gogs instances are exposed to the internet, the true number is likely much higher, as many deployments sit behind VPNs or on internal networks.

In the absence of a patch, Rapid7 recommends several mitigations. First, restrict user registration by setting `DISABLEREGISTRATION = true` in `app.ini` to block untrusted users from creating accounts. Second, limit repository creation with `MAXCREATION_LIMIT = 0` in the configuration file to prevent users from making their own repositories. Third, audit rebase merge settings across all repositories.

Rapid7 has also released a Metasploit module that automates the full exploit chain for both Linux and Windows targets. The module operates in two modes. The default mode creates a temporary repository under the attacker’s account, runs the exploit, and then deletes the repository, leaving only an HTTP 500 error in the server logs as a trace. The second mode targets an existing repository where the attacker already has write and merge access, which leaves more artifacts behind.

Given the severity and the lack of a fix, administrators are urged to implement the recommended workarounds immediately to safeguard their Gogs instances.

(Source: Internet)

Topics

security vulnerability 98% remote code execution 95% git rebase exploit 93% authentication bypass 88% open source security 86% unpatched vulnerability 84% cvss score 9.4 82% data breach risk 80% cross-tenant attack 78% Mitigation Strategies 76%