- A critical, unpatched security flaw in the open-source Git service Gogs allows authenticated users to execute arbitrary code on the server.
- The vulnerability, rated 9.4 on the CVSS scale, is exploited via a malicious branch name during a “Rebase before merging” operation.
- An attacker can compromise the server, access all hosted repositories, and potentially cause a cross-tenant data breach.
- There is currently no official patch, but administrators can mitigate risk by restricting user registration and repository creation.
On May 28, 2026, security researchers disclosed a severe vulnerability in the self-hosted Git service Gogs that enables remote code execution. The flaw, which does not have a CVE identifier, was detailed in a report by Rapid7 researcher Jonah Burgess.
According to the findings, any authenticated user can achieve code execution by creating a pull request with a malicious branch name. This injects the –exec flag into the git rebase command during a ‘Rebase before merging’ operation.
Consequently, an attacker with only basic account access can potentially breach the entire server. They could then dump credentials, tamper with hosted code, and access other users’ private repositories on the shared instance.
The vulnerability affects all supported platforms, including Windows, Linux, and macOS. Meanwhile, there are an estimated 1,141 internet-facing Gogs instances, with many more likely deployed internally.
As of now, the bug remains unpatched despite being reported to the maintainer on March 17, 2026. In response, Rapid7 has published a Metasploit module that automates the exploit chain.
Administrators are urged to restrict user registration and repository creation in their configuration files. They should also audit which repositories have the rebase merge setting enabled to limit potential attack surfaces.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
