Critical Gogs Flaw Lets Users Execute Remote Code

A critical security vulnerability has been discovered in Gogs, an open-source Git platform widely used for self-hosted code repositories. Security researchers warn that the flaw allows authenticated users to execute arbitrary code remotely under certain conditions, creating serious risks for affected servers.

The vulnerability was disclosed by Rapid7 and received a CVSS severity rating of 9.4. Despite its severity, the issue has not yet received an official CVE identifier. Researchers say the flaw can be exploited without administrative privileges or user interaction.

According to Jonah Burgess, attackers can abuse the “Rebase before merging” feature by crafting a malicious branch name that injects the --exec flag into Git rebase commands. This enables remote code execution directly on the server.

The vulnerability affects default-configured Gogs instances and can be triggered simply by creating an account and repository on a vulnerable deployment. Researchers warn that exploitation is relatively simple and does not require advanced access levels.

Git Rebase Feature Creates Dangerous Attack Path

The flaw centers around Git’s “rebase” functionality, which developers commonly use to replay commits from one branch onto another to maintain a cleaner project history. Unlike traditional merging, rebasing rewrites commit history by generating new commits during integration.

Git rebase also supports an --exec option that allows shell commands to run automatically after each commit replay. Attackers can abuse this functionality by injecting malicious commands through specially crafted branch names during pull request operations.

Researchers explained that any registered user who creates a repository automatically becomes its owner. From there, enabling rebase merging only requires a simple settings change, allowing attackers to complete the entire exploit chain independently.

Even on systems where repository creation is restricted, attackers with write access to repositories that already allow rebase merging may still exploit the vulnerability and achieve code execution.

Exploitation Could Lead to Full Server Compromise

Successful exploitation of the vulnerability could allow attackers to fully compromise affected servers. Security experts warn that threat actors may gain access to all repositories hosted on the instance, including private codebases and sensitive development data.

Attackers could also steal credentials, manipulate source code, pivot into connected internal systems, and conduct broader network attacks. The vulnerability creates particularly serious risks for organizations hosting multiple users or development teams on shared infrastructure.

Researchers additionally warned about potential cross-tenant data breaches. A compromised account could allow attackers to access private repositories belonging to other users hosted on the same Gogs server.

The issue impacts all supported operating systems, including Windows, Linux, and macOS, significantly expanding the potential attack surface for vulnerable deployments worldwide.

Read : Starbucks Afternoon Traffic Rises Amid Turnaround Push

Unpatched Vulnerability Raises Security Concerns

Rapid7 disclosed that the vulnerability was reported to the Gogs maintainer on March 17, 2026. No official patch has been released for the flaw so far. The delay is raising concerns among cybersecurity experts and system administrators.

Security experts estimate there are at least 1,141 internet-facing Gogs instances currently exposed online. The actual number may be significantly higher because many organizations deploy Gogs internally behind VPNs or private networks.

The lack of an available patch means organizations using Gogs may need to implement temporary mitigation strategies, such as restricting repository creation, disabling rebase merging, or limiting user permissions until a fix becomes available.