A critical security vulnerability has been disclosed in Gogs, a widely-used open-source self-hosted Git service. The flaw, rated 9.4 on the CVSS scoring system, allows an authenticated user to execute arbitrary code on the server under specific circumstances, posing a significant risk to data integrity and system security. As of May 28, 2026, the vulnerability remains unpatched.
According to security researcher Jonah Burgess, the vulnerability permits any authenticated user to achieve remote code execution (RCE) by crafting a pull request with a malicious branch name. This maliciously crafted name injects the `–exec` flag into the `git rebase` command during the “Rebase before merging” operation. This process doesn’t require administrator privileges and can be initiated by any registered user who can create a repository, provided rebase merging is enabled in the instance’s settings.
Gogs Vulnerability Exploitation Potential
The exploit hinges on the functionality of `git rebase`, a Git command used to integrate changes from one branch into another by replaying commits. Critically, `git rebase` can accept a shell command via an `–exec` flag, which is then executed after each commit is replayed. The ease of exploitation is amplified by the fact that any registered user can become a repository owner by default configuration, and enabling rebase merging is a simple toggle in the Gogs settings.
In scenarios where new repository creation is restricted on a Gogs instance, an attacker would need write access to a repository where rebase merging is already enabled. Even in this case, the attacker can still leverage the flaw to gain code execution on the server. This highlights a systemic risk if rebase merging is not carefully managed across all repositories.
The implications of a successful exploit are severe. An attacker could gain the ability to breach the server, access all repositories hosted on the instance, and potentially exfiltrate credentials. Furthermore, they could move laterally to other network-accessible systems and tamper with the code of any hosted repository. A particularly concerning aspect is the potential for cross-tenant data breaches on shared Gogs instances, allowing an attacker to access other users’ private repositories.
Impact and Mitigation Recommendations for Gogs Instances
The vulnerability affects all supported Gogs platforms, including Windows, Linux, and macOS. Estimates suggest there are at least 1,141 internet-facing Gogs instances, though the actual number is likely higher due to deployments behind VPNs and internal networks. The lack of a patch since its report on March 17, 2026, exacerbates the risk for organizations relying on Gogs for their Git hosting.
In the absence of an immediate patch, Rapid7, which reported the vulnerability, has outlined several mitigation recommendations for Gogs users. These include restricting user registration by setting `DISABLE_REGISTRATION = true` in the `app.ini` configuration file. Additionally, limiting repository creation by setting `MAX_CREATION_LIMIT = 0` can prevent users from creating their own repositories. Auditing existing rebase merge settings across all repositories is also crucial to identify and disable the potentially exploitable feature where it is not strictly necessary.
Rapid7 has also developed a Metasploit module to automate the exploitation process against both Linux and Windows targets. This module offers two modes: one that creates and deletes a temporary repository to carry out the exploit, leaving minimal trace, and another that targets an existing repository where the attacker already has write and merge access, which may leave additional artifacts.
The ongoing lack of a patch means that administrators of Gogs instances must remain vigilant and implement the recommended security measures proactively. The next anticipated step is for the Gogs maintainers to release a patch addressing the critical remote code execution flaw. Until then, disabling rebase merging and restricting user and repository creation are the most effective defense strategies.