Critical Gogs RCE Vulnerability Allows Any Authenticated User to Execute Illegal Code
A critical security vulnerability has been disclosed in Gogs, the popular open source self-hosted Git service, that allows an authorized user to execute arbitrary code under certain circumstances.
The safety margin, per Rapid7, is rated at 9.4 on the CVSS scoring system. It does not have a CVE identifier.
“The vulnerability allows any authorized user to perform remote code execution (RCE) on a server by executing a pull request with a malicious branch name that includes the –exec flag in git rebase during a ‘Rebase before compile’ compile,” said security researcher Jonah Burgess.
Recommit is a Git action used to take a sequence of commits from one feature branch and replay them over another base branch to build the project’s line history. While “git rebase” solves the same problem as “git merge” — that is, merging changes from one branch to another — the former rewrites the history of the project by creating new commits for each commit in the original branch.
The “git rebase” action also accepts as an argument a shell command with the –exec flag that is used after each commit is replayed. A notable feature of the vulnerability is that it does not require administrative privileges or interaction with other users. To pull off an attack, all an unauthorized threat actor has to do is create an account and cache in any configured instance.
“Any registered user who creates a repo automatically owns it,” Burgess said. “From then on, enabling recombination is a single change in the settings, and the entire series of exploits can be run without the interaction of any other user.”
In another scenario, a user with write access to a repository where recovery is already enabled can directly exploit the bug to find code execution. In Gogs environments where repository creation is restricted, an attacker is required to have write access to any repository with recombination enabled.
As of writing, the vulnerability has not been patched despite being reported to the maintainer on March 17, 2026. Successful exploitation of the bug may give an attacker the ability to breach the server, access all locations where it occurs, dump information, go to other systems accessible on the network, and interfere with any hosted identifier code.
In addition, it may result in a breach of the leased database, allowing an attacker to read private databases hosted on the same shared server. According to Rapid7, the bug affects all supported platforms, such as Windows, Linux, and macOS.
There are an estimated 1,141 cases of Gogs online. However, the actual figure is expected to be higher, as most shipments are placed behind VPNs or internal networks.
If there is no patch, the following recommendations are mentioned:
- Restrict user registration (DISABLE_REGISTRATION = true in app.ini) to prevent untrusted users from creating accounts
- Limit repository creation (MAX_CREATION_LIMIT = 0 in app.ini) to prevent users from creating their own repositories
- Check the recompilation settings
Rapid7 also makes a Metasploit module that automates a series of exploits against Linux and Windows targets. The module supports two modes: the default mode where a temporary cache is created under the attacker’s account, the exploit is run, and the cache is deleted. The second method targets a repository that the attacker already has write and compile access to.
“When an attacker creates and deletes his endpoint, the only trace is an HTTP 500 in the server log,” said a cybersecurity expert. “When an existing archive is exploited, other artifacts remain.”
