Rapid7 has disclosed an unpatched remote code execution vulnerability in Gogs, the lightweight self-hosted Git service written in Go. The flaw — an argument injection (CWE-88) rated CVSS v4 9.4 — lets any authenticated user run arbitrary commands on the server by exploiting the way Gogs shells out to git rebase during a pull request merge. Rapid7 reported it to the maintainer on March 17, 2026. More than two months later there is still no patch, no CVE identifier, and a public Metasploit module. If you run an internet-reachable Gogs instance, treat this as a live 0-day.

What happened

Gogs supports a “Rebase before merging” merge strategy on pull requests. When a maintainer (or, as it turns out, an attacker) triggers that merge, Gogs invokes git rebase server-side and incorporates the branch name into the command line. git rebase accepts an --exec <cmd> option that runs a shell command after each replayed commit. Because the branch name is not separated from option parsing, a branch crafted to look like an --exec=... argument is interpreted by git as a flag rather than a ref — and the attacker’s command executes as the Gogs service account.

Security researcher Jonah Burgess (CryptoCat) of Rapid7 walked through the chain: the attack needs no admin rights and no interaction from any other user. On a default-configured instance, an attacker simply registers an account, creates a repository — “any registered user who creates a repo is automatically its owner” — flips the single rebase-merge toggle in repo settings, and opens a pull request from the malicious branch. That’s the entire exploit path, start to finish, under one account.

Two variations widen the surface. A user who already has write access to a repository where rebase merging is enabled can exploit it directly. And on instances that restrict repository creation, an attacker only needs write access to any rebase-enabled repo to land code execution.

Technical details

  • Vulnerability: Argument injection (CWE-88) into git rebase via pull-request branch name
  • Severity: CVSS v4 9.4 (Critical). No CVE assigned.
  • Affected: Gogs 0.14.2 and 0.15.0+dev (commit b53d3162) confirmed; all prior releases supporting “Rebase before merging” are likely vulnerable. Windows, Linux, and macOS are all affected.
  • Status: Unpatched. Reported March 17, 2026; public disclosure May 28, 2026.
  • Exposure: ~1,141 internet-facing Gogs instances observed, almost certainly an undercount given how many sit behind VPNs and on internal networks.

The mechanism is the classic git argument-injection pattern that has repeatedly bitten Git forges: untrusted input (a ref name) reaches a git invocation without an -- separator or strict validation, and an attacker-controlled value gets parsed as a flag. Here --exec turns that into direct command execution.

Impact

Code execution as the Gogs service user is effectively full control of the forge. Rapid7 notes an attacker can breach the server, read and tamper with every repository on the instance, dump credentials, and pivot to other network-reachable systems. On a shared/multi-tenant Gogs server it becomes a cross-tenant data breach: the attacker can read other users’ private repositories. For most teams a Git server holds source code, CI secrets, deploy keys, and tokens — so this is a path straight into the rest of the build pipeline.

Rapid7 also published a Metasploit module (framework PR #21515) that automates the full chain against Linux and Windows. It runs in two modes: an ephemeral mode that creates a throwaway repo under the attacker’s account and deletes it afterward — leaving only an HTTP 500 in the server logs — and a mode targeting an existing repo the attacker can write to, which leaves more forensic artifacts.

What to do right now

There is no fixed version, so mitigation is configuration-level. In app.ini:

  • Set DISABLE_REGISTRATION = true to stop untrusted users from creating accounts.
  • Set MAX_CREATION_LIMIT = 0 to prevent users from creating their own repositories.
  • Audit which repositories have rebase merging enabled and disable it where it isn’t needed.

Beyond that, pull any internet-facing Gogs instance behind a VPN or access proxy, restrict accounts to trusted users, and watch server logs for unexplained HTTP 500s around merge operations. Given that Gogs is only lightly maintained and this report sat for over two months without a fix, organizations that need an actively patched self-hosted forge should weigh migrating to a maintained alternative — while noting that forks carry their own recent CVEs and need the same scrutiny.

Sources