Gogs RCE Flaw Lets Authenticated Users Run Code via Git Rebase

Rapid7 reports a critical Gogs vulnerability (CVSS 9.4) that lets any authenticated user achieve remote code execution by crafting a pull request with a malicious branch name that injects a --exec command into git rebase during the Rebase before merging step; no admin rights are required and an attacker can trigger it simply by registering and creating a repository with rebase merging enabled. If unpatched (as of March 17, 2026), this could allow server compromise, access to all repos, credential dumps, cross-tenant data breaches, or further network access. Mitigations include disabling new registrations, restricting repository creation, and auditing rebase merge settings; a Metasploit module exists to automate the exploit. Estimates put internet-facing Gogs instances around 1,141, likely higher in internal deployments behind VPNs.
- Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code The Hacker News
- Lack of response to critical vulnerability in Gogs is a reminder of the limits of open source projects InfoWorld
- Rapid7 warns of unpatched critical-severity zero-day flaw in popular Gogs self-hosted Git service Cyber Daily
- New Gogs 0-Day Vulnerability Lets Attackers Run Malicious Code on the Server Remotely CyberSecurityNews
- New Gogs 0-Day Lets Attackers Execute Code Remotely on Servers cyberpress.org
Reading Insights
0
22
2 min
vs 3 min read
79%
595 → 123 words
Want the full story? Read the original article
Read on The Hacker News