Gogs 0-Day Vulnerability Allows Remote Lets Attackers

Gogs, one of the world’s most widely deployed self-hosted Git platforms, is impacted by a critical zero-day vulnerability that allows any authenticated user to execute arbitrary commands on the underlying server; no patch was available at the time of publication.

Rapid7 Labs researcher Jonah Burgess (CryptoCat) identified the flaw, tracked as a CWE-88 argument injection vulnerability, and scored it CVSSv4 9.4 (Critical).

The vulnerability resides in Gogs’ “Rebase before merging” merge operation and affects the latest stable release, Gogs 0.14.2, as well as the development build 0.15.0+dev (commit b53d3162). All prior versions supporting the rebase merge style are also likely vulnerable.

Gogs 0-Day Vulnerability

The exploit targets the Merge() function in internal/database/pull.go, which passes pull request base branch names directly to a git rebase command without a POSIX -- separator or proper argument sanitization. An attacker crafts a malicious branch name such as --exec=touch${IFS}/tmp/rce_proof and opens a pull request using that branch.

When the rebase merge is triggered, Git’s argument parser interprets --exec as a flag rather than a branch name, causing Git to run the attacker-controlled command via sh -c after each replayed commit.

The result is arbitrary command execution running as the Gogs server process user — typically git on both Docker and binary installations.

What makes this especially dangerous is the low barrier to entry. Gogs ships with open user registration and unlimited repository creation enabled by default.

This means an unauthenticated attacker can register an account, create a repository, enable rebase merging in settings, and launch the full exploit chain entirely within their own account, requiring no interaction from any other user and no administrative privileges, Jonah Burgess said.

The practical consequences of a successful exploit are severe:

• Server compromise via arbitrary command execution as the Gogs process user
• Cross-tenant data breach — read every repository on the instance, including private repos from other users
• Credential theft — dump password hashes, API tokens, SSH keys, and 2FA secrets from the database
• Lateral movement to other systems reachable from the server’s network
• Supply chain attacks — silently modify any hosted repository’s code, bypassing audit logging

Gogs has approximately 50,000 GitHub stars and over 5,000 forks, and a Shodan search at the time of publication revealed 1,141 internet-facing instances with the real install base far larger due to internal and VPN-protected deployments.

A fully functional Metasploit module has been published, making exploitation trivial and automatable in seconds.

Defenders should monitor Gogs server logs for ERROR-level entries containing patterns like git checkout '--exec=<...>': exit status 128.

Administrators should also audit repository branch listings for names beginning with --, check user token lists at /-/user/settings/applications for unexpected msf_<hex> entries, and inspect PR histories on sensitive repositories.

Mitigations

No vendor patch exists. Until one is released, organizations should apply these mitigations immediately:

• Set DISABLE_REGISTRATION = true in app.ini to block untrusted account creation
• Set MAX_CREATION_LIMIT = 0 to prevent users from creating new repositories
• Audit all repositories for the “Rebase before merging” setting, especially on repos with external contributors

Rapid7 first reported this vulnerability to Gogs maintainers on March 17, 2026. Despite multiple follow-ups through May 2026, no fix has been delivered.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.