A critical security vulnerability has been identified in Gogs, a widely used open-source self-hosted Git service, allowing any authenticated user to execute arbitrary code under specific conditions. This vulnerability has been rated 9.4 on the CVSS scoring system, indicating its severity.
Details of the Vulnerability
The flaw permits authenticated users to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the –exec flag into the git rebase command during the merge operation. Jonah Burgess, a security researcher at Rapid7, explained that this process allows the execution of shell commands after each commit is replayed.
Exploitation Scenarios
Notably, the vulnerability does not require administrative privileges or any interaction with other users. An attacker only needs to create an account and repository on a default-configured Gogs instance. Once a user creates a repository, they automatically become its owner, and enabling rebase merging is a straightforward setting adjustment. Alternatively, a user with write access to a repository where rebase is enabled can exploit this vulnerability directly.
Potential Impact
If successfully exploited, this vulnerability could allow an attacker to breach the server, access all repositories on the instance, extract credentials, and modify any hosted repository’s code. Additionally, it poses a risk of cross-tenant data breaches, enabling attackers to access other users’ private repositories on shared servers.
Status and Recommendations
As of now, the vulnerability remains unpatched, despite being reported to the maintainer on March 17, 2026. The flaw affects all supported platforms, including Windows, Linux, and macOS. Rapid7 has outlined several recommendations to mitigate the risk:
– Restrict user registration by setting DISABLE_REGISTRATION = true in app.ini to prevent untrusted users from creating accounts.
– Limit repository creation by setting MAX_CREATION_LIMIT = 0 in app.ini.
– Audit rebase merge settings regularly.
Additionally, Rapid7 has developed a Metasploit module that automates the exploitation process against both Linux and Windows targets, further highlighting the urgency of addressing this vulnerability.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
