A critical security vulnerability has been disclosed in Gogs, a popular open source self-hosted Git service, that could allow authenticated users to execute arbitrary code under certain conditions.
According to Rapid7, this security flaw is rated 9.4 on the CVSS scoring system. There is no CVE identifier.
“This vulnerability allows an authenticated user to perform remote code execution (RCE) on a server by creating a pull request with a malicious branch name that injects the –exec flag to git rebase during a ‘rebase before merge’ merge operation,” said security researcher Jonah Burgess.
Rebasing is a Git action used to take a set of commits from one feature branch and replay them on another base branch to create a linear project history. “git rebase” solves the same problem as “git merge” – merging changes from one branch to another, but the former rewrites the project history by creating a new commit for each commit in the original branch.
The “git rebase” action takes as an argument a shell command via the –exec flag that is executed after each commit is replayed. What’s notable about this vulnerability is that it does not require administrator privileges or interaction with other users. To carry out an attack, all an unauthenticated attacker needs to do is create an account and repository on an instance with the default configuration.
“A registered user who creates a repository automatically becomes its owner,” Burgess says. “From there, you can enable rebase merging with a single setting toggle and manipulate the entire exploit chain without any interaction from other users.”
In another scenario, a user with write access to a repository that already has rebasing enabled could directly exploit this flaw to execute code. On Gogs instances where repository creation is restricted, an attacker would need write access to a repository that has rebase merge enabled.
At the time of writing, this vulnerability remains unpatched despite being reported to administrators on March 17, 2026. Successful exploitation of this bug could allow an attacker to compromise the server, access all repositories on the instance, dump credentials, move to other accessible systems on the network, and tamper with the code of the hosted repositories.
Additionally, a cross-tenant data breach could occur, allowing an attacker to read other users’ private repositories hosted on the same shared server. According to Rapid7, this flaw affects all supported platforms, including Windows, Linux, and macOS.
There are an estimated 1,141 instances of Gogs connected to the internet. However, given that most deployments are located behind a VPN or internal network, we expect the actual numbers to be higher.
If a patch is not available, the following recommendations are outlined:
Restrict user registration (DISABLE_REGISTRATION = true in app.ini) to prevent untrusted users from creating accounts. Restrict repository creation (MAX_CREATION_LIMIT = 0 in app.ini) to prevent users from creating their own repositories. Audit the rebase merge configuration.
Rapid7 has also created a Metasploit module that automates complete exploit chains against both Linux and Windows targets. This module supports two modes. The default mode creates a temporary repository under the attacker’s account, runs the exploit, and deletes the repository. The second approach targets repositories where the attacker already has write and merge access.
“If an attacker creates and deletes their own repositories, the only trace is an HTTP 500 in the server logs,” cybersecurity experts said. “Using an existing repository leaves additional artifacts behind.”
Source link
