A important safety vulnerability has been disclosed in Gogs, a well-liked open-source self-hosted Git service, that enables an authenticated consumer to execute arbitrary code underneath sure circumstances.
The safety flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It doesn’t have a CVE identifier.
“The vulnerability permits any authenticated consumer to realize distant code execution (RCE) on the server by making a pull request with a malicious department identify that injects the –exec flag into git rebase throughout the ‘Rebase earlier than merging’ merge operation,” safety researcher Jonah Burgess mentioned.
Rebasing is a Git motion that is used to take a sequence of commits from one characteristic department and replay them on prime of one other base department to create a linear venture historical past. Whereas “git rebase” solves the identical drawback as “git merge” — i.e., integrating adjustments from one department into one other — the previous rewrites the venture historical past by creating new commits for every commit within the authentic department.
The “git rebase” motion additionally accepts as an argument a shell command through an –exec flag that is executed after every commit is replayed. A notable facet of the vulnerability is that it doesn’t require admin privileges or interplay with different customers. To drag off the assault, all an unauthenticated menace actor has to do is create an account and repository on any default-configured occasion.
“Any registered consumer who creates a repo is robotically its proprietor,” Burgess mentioned. “From there, enabling rebase merging is a single toggle in settings, and the whole exploit chain could be operated with out interplay from every other consumer.”
In another situation, a consumer with write entry to a repository the place rebase is already enabled can exploit the flaw on to get hold of code execution. On Gogs cases the place repository creation is restricted, an attacker is required to have write entry to any repository that has rebase merging enabled.
As of writing, the vulnerability stays unpatched regardless of it being reported to the maintainer on March 17, 2026. Profitable exploitation of the bug may grant an attacker the flexibility to breach the server, entry each repository on the occasion, dump credentials, transfer to different network-accessible methods, and tamper with any hosted repository’s code.
What’s extra, it can lead to a cross-tenant knowledge breach, permitting the attacker to learn different customers’ personal repositories hosted on the identical shared server. In accordance with Rapid7, the flaw impacts all supported platforms, reminiscent of Home windows, Linux, and macOS.
There are an estimated 1,141 internet-facing Gogs cases. Nevertheless, the precise determine is anticipated to be greater, given that the majority deployments are positioned behind VPNs or inner networks.
Within the absence of a patch, the next suggestions are outlined –
- Prohibit consumer registration (DISABLE_REGISTRATION = true in app.ini) to stop untrusted customers from creating accounts
- Prohibit repository creation (MAX_CREATION_LIMIT = 0 in app.ini) to stop customers from creating their very own repositories
- Audit rebase merge settings
Rapid7 has additionally made a Metasploit module that automates the complete exploit chain in opposition to each Linux and Home windows targets. The module helps two modes: a default mode the place a brief repository is created underneath the attacker’s account, the exploit is run, and the repository is deleted. The second strategy targets a repository that the attacker already has write and merge entry to.
“When the attacker creates and deletes their very own repository, the one hint is an HTTP 500 within the server logs,” the cybersecurity professional mentioned. “When exploiting an present repository, extra artifacts stay.”
