A newly identified vulnerability in Gogs, a popular self-hosted Git platform, enables authenticated users to execute arbitrary commands on the server. This critical flaw, discovered by Rapid7 Labs researcher Jonah Burgess, poses a significant security risk as no patch is currently available.
Vulnerability Details
The vulnerability, classified as a CWE-88 argument injection, has been assigned a critical CVSSv4 score of 9.4. It affects the ‘Rebase before merging’ operation in Gogs, impacting the latest stable release, Gogs 0.14.2, and the development build 0.15.0+dev. Previous versions supporting this merge style are also likely affected.
The exploit involves crafting a malicious branch name that prompts the Git rebase command to execute attacker-controlled commands. This mechanism allows arbitrary command execution as the Gogs server process user, typically ‘git’.
Security Implications
The vulnerability is particularly dangerous due to Gogs’ default settings, which allow open user registration and unlimited repository creation. An unauthenticated attacker can exploit this flaw to register an account, create a repository, and execute the exploit chain without needing administrative privileges or interaction from other users.
Successful exploitation could lead to server compromise, data breaches, credential theft, lateral network movement, and supply chain attacks by modifying repository code without detection.
Mitigation Strategies
While no official patch is available, organizations can implement immediate mitigations. Setting ‘DISABLE_REGISTRATION = true’ in app.ini can prevent untrusted account creation. Limiting repository creation with ‘MAX_CREATION_LIMIT = 0’ is also advised.
Administrators should audit repositories for the ‘Rebase before merging’ setting and monitor logs for suspicious activities, particularly those involving ‘git checkout –exec’.
The vulnerability was reported to Gogs maintainers on March 17, 2026, but remains unpatched despite multiple follow-ups. Users are urged to apply mitigations and stay updated on developments.
Stay informed by following our updates on Google News, LinkedIn, and X.
