The popular open-source Git service, Gogs, faces a critical security vulnerability that permits authenticated users to execute arbitrary code. This flaw, as disclosed by Rapid7, has been assigned a severity score of 9.4 on the CVSS scale, highlighting its potential impact.
Understanding the Vulnerability
This security issue allows any authenticated user to achieve remote code execution (RCE) on the server by exploiting a specific condition. The flaw is triggered when a user creates a pull request with a malicious branch name that injects the –exec flag into the git rebase process during the ‘Rebase before merging’ operation. This operation in Git is used to integrate changes, creating a linear history by replaying commits on top of another branch.
Importantly, the –exec flag in git rebase can execute shell commands after each commit is replayed. This aspect of the vulnerability enables attackers to exploit the system without needing administrative privileges or interaction from other users. A simple account creation and repository setup can suffice to launch the attack.
Exploitation Scenarios
Security researcher Jonah Burgess explains that any registered user who creates a repository becomes its owner by default. With rebase merging enabled via a simple settings toggle, the full exploit chain can be executed independently. Alternatively, users with write access to a repository with rebase enabled can directly exploit the flaw to gain code execution.
On Gogs instances where repository creation is restricted, attackers need write access to any existing repository with rebase merging enabled to proceed. Despite being reported on March 17, 2026, the vulnerability remains unpatched, posing significant risks such as server breaches, credential leaks, and unauthorized access to repositories.
Mitigation Measures and Future Outlook
The vulnerability impacts all supported platforms, including Windows, Linux, and macOS, with an estimated 1,141 internet-facing instances potentially at risk. The actual number may be higher due to many deployments being behind VPNs or internal networks. In light of the absence of a patch, several recommendations have been made to mitigate the risk:
- Disable user registration to prevent untrusted account creations.
- Restrict repository creation to limit user-initiated repositories.
- Audit rebase merge settings thoroughly.
Rapid7 has also developed a Metasploit module to automate the exploit chain for both Linux and Windows targets. This module operates in two modes: a default mode where a temporary repository is created and deleted, and a targeted mode for existing repositories with write access.
As awareness of this vulnerability grows, Gogs users are urged to adopt these protective measures promptly. Monitoring server logs for unusual activity and preparing for potential patches will be crucial in safeguarding against this significant security threat.
