
Gogs RCE Flaw Lets Authenticated Users Run Code via Git Rebase
Rapid7 reports a critical Gogs vulnerability (CVSS 9.4) that lets any authenticated user achieve remote code execution by crafting a pull request with a malicious branch name that injects a --exec command into git rebase during the Rebase before merging step; no admin rights are required and an attacker can trigger it simply by registering and creating a repository with rebase merging enabled. If unpatched (as of March 17, 2026), this could allow server compromise, access to all repos, credential dumps, cross-tenant data breaches, or further network access. Mitigations include disabling new registrations, restricting repository creation, and auditing rebase merge settings; a Metasploit module exists to automate the exploit. Estimates put internet-facing Gogs instances around 1,141, likely higher in internal deployments behind VPNs.


