A significant security vulnerability has been discovered in Gogs, a widely-used open-source Git service, enabling authenticated users to execute arbitrary code under particular circumstances. Identified by Rapid7, this security flaw has been rated 9.4 on the CVSS scale and currently lacks a CVE identifier. The vulnerability is triggered when an authenticated user creates a pull request with a malicious branch name that injects the exec flag into the git rebase command during the rebase before merging operation. This allows the attacker to run shell commands after each commit is replayed, posing a grave security threat. Notably, this vulnerability can be exploited without needing administrative privileges or other user interactions. The attacker only needs to set up an account and repository on any default-configured Gogs instance. Once a repository is created, enabling rebase merging is a simple toggle action, allowing the entire exploit chain to be initiated without other users' involvement. Alternatively, users with write access to a repository with rebase enabled can exploit this flaw directly. Although reported to the Gogs maintainer on March 17, 2026, the vulnerability remains unpatched. Successful exploitation of this bug could lead to severe consequences, including server breaches, unauthorized access to repositories, credential harvesting, and potential cross-tenant data breaches. This flaw affects all supported platforms, including Windows, Linux, and macOS. While 1,141 internet-facing Gogs instances have been identified, the real number is likely higher due to many deployments being behind VPNs or internal networks. In the absence of a patch, security teams should take immediate measures to protect their systems.
Severe Gogs Vulnerability Allows Code Execution by Authenticated Users
High-severity RCE in Gogs; patch and rotate credentials; monitor exploit attempts and review access controls.


