Gogs RCE Flaw Lets Authenticated Users Run Code via Git Rebase

1 min read
Source: The Hacker News
Gogs RCE Flaw Lets Authenticated Users Run Code via Git Rebase
Photo: The Hacker News
TL;DR Summary

Rapid7 reports a critical Gogs vulnerability (CVSS 9.4) that lets any authenticated user achieve remote code execution by crafting a pull request with a malicious branch name that injects a --exec command into git rebase during the Rebase before merging step; no admin rights are required and an attacker can trigger it simply by registering and creating a repository with rebase merging enabled. If unpatched (as of March 17, 2026), this could allow server compromise, access to all repos, credential dumps, cross-tenant data breaches, or further network access. Mitigations include disabling new registrations, restricting repository creation, and auditing rebase merge settings; a Metasploit module exists to automate the exploit. Estimates put internet-facing Gogs instances around 1,141, likely higher in internal deployments behind VPNs.

Share this article

Reading Insights

Total Reads

0

Unique Readers

22

Time Saved

2 min

vs 3 min read

Condensed

79%

595123 words

Want the full story? Read the original article

Read on The Hacker News