Critical Gogs RCE Vulnerability Allows Code Execution

A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, enabling authenticated users to execute arbitrary code on affected servers. Rated 9.4 on the CVSS scoring system by Rapid7, the flaw does not currently have a CVE identifier. Security researcher Jonah Burgess discovered that the vulnerability exploits the "Rebase before merging" merge operation by injecting a malicious --exec flag into git rebase through a specially crafted branch name in a pull request. The git rebase action accepts shell commands via the --exec argument, which are executed after each commit is replayed, providing the attack vector. This zero-day vulnerability affects all supported platforms including Windows, Linux, and macOS, with an estimated 1,141 internet-facing instances currently exposed.

The exploit chain requires no administrative privileges or interaction from other users. An attacker simply creates an account on any default-configured Gogs instance, establishes a repository (automatically becoming its owner), enables rebase merging via a single settings toggle, and creates a pull request with a malicious branch name. Alternatively, users with write access to repositories where rebase is already enabled can directly exploit the flaw. In restricted environments where repository creation is limited, attackers need only write access to any repository with rebase merging enabled. Organizations should use a port scanner to identify exposed Gogs instances and a WHOIS lookup to audit domain registrations.

Successful exploitation grants attackers the ability to breach the server, access all repositories on the instance, dump credentials, move laterally to other network-accessible systems, and tamper with hosted code. The vulnerability also enables cross-tenant data breaches, allowing attackers to read other users' private repositories on shared servers. As of May 28, 2026, the vulnerability remains unpatched despite being reported to Gogs maintainers on March 17, 2026. In the absence of an official patch, administrators should immediately disable user registration by setting DISABLE_REGISTRATION to true in app.ini and restrict repository creation to prevent untrusted users from accessing the platform. Organizations should perform a email breach checker to determine if credentials may have been compromised.