Critical RCE Vulnerability in Gogs Exposes Self-Hosted Git Instances
A severe security flaw in Gogs, a widely used open-source self-hosted Git service, has been disclosed, allowing authenticated users to execute arbitrary code under specific conditions. The vulnerability, rated 9.4 on the CVSS scale, lacks a CVE identifier but poses a significant risk to unpatched instances.
The flaw enables remote code execution (RCE) by exploiting the --exec flag in git rebase during a "Rebase before merging" operation. An attacker can trigger the exploit by creating a malicious branch name in a pull request. Notably, the attack does not require admin privileges or interaction from other users only a registered account and repository ownership, which Gogs grants by default.
In cases where repository creation is restricted, an attacker with write access to a repository with rebase merging enabled can still exploit the vulnerability. Successful exploitation could lead to server compromise, credential theft, lateral movement, and tampering with hosted code. Additionally, the flaw may enable cross-tenant data breaches, exposing private repositories on shared servers.
The vulnerability affects all supported platforms (Windows, Linux, macOS) and was reported to Gogs maintainers on March 17, 2026, but remains unpatched. While 1,141 internet-facing Gogs instances have been identified, the actual number of vulnerable deployments is likely higher, as many are behind VPNs or internal networks.
Security firm Rapid7 has developed a Metasploit module to automate exploitation, supporting two attack modes: one that creates and deletes a temporary repository (leaving minimal logs) and another targeting an existing repository with write access. The flaw underscores the risks of unpatched self-hosted Git services in enterprise and open-source environments.
Source: https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html
GOG cybersecurity rating report: https://www.rankiteo.com/company/gogcom
"id": "GOG1780035947",
"linkid": "gogcom",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '1,141+ internet-facing '
'instances (likely more behind '
'VPNs/internal networks)',
'industry': 'Software Development',
'location': 'Global',
'name': 'Gogs',
'type': 'Open-source self-hosted Git service'}],
'attack_vector': 'Authenticated user with repository ownership or write '
'access exploiting the `--exec` flag in `git rebase` via a '
'malicious branch name in a pull request',
'data_breach': {'data_exfiltration': 'Possible (cross-tenant data breaches)',
'sensitivity_of_data': 'High (private repositories, '
'credentials)',
'type_of_data_compromised': ['Private repositories',
'Credentials',
'Hosted code']},
'date_detected': '2026-03-17',
'description': 'A severe security flaw in Gogs, a widely used open-source '
'self-hosted Git service, has been disclosed, allowing '
'authenticated users to execute arbitrary code under specific '
'conditions. The vulnerability enables remote code execution '
'(RCE) by exploiting the `--exec` flag in `git rebase` during '
"a 'Rebase before merging' operation. An attacker can trigger "
'the exploit by creating a malicious branch name in a pull '
'request. Successful exploitation could lead to server '
'compromise, credential theft, lateral movement, and tampering '
'with hosted code. The flaw may also enable cross-tenant data '
'breaches, exposing private repositories on shared servers.',
'impact': {'data_compromised': 'Private repositories, credentials, hosted '
'code',
'operational_impact': 'Server compromise, lateral movement, '
'tampering with hosted code',
'systems_affected': 'Self-hosted Gogs instances (Windows, Linux, '
'macOS)'},
'investigation_status': 'Vulnerability disclosed, unpatched',
'post_incident_analysis': {'root_causes': 'Improper handling of the `--exec` '
'flag in `git rebase` during '
"'Rebase before merging' "
'operations'},
'recommendations': 'Patch or update Gogs instances immediately once a fix is '
'available. Restrict repository creation and rebase '
'merging permissions where possible. Monitor for '
'suspicious pull requests or branch names.',
'references': [{'source': 'Rapid7'}],
'response': {'third_party_assistance': 'Rapid7 (Metasploit module '
'development)'},
'title': 'Critical RCE Vulnerability in Gogs Exposes Self-Hosted Git '
'Instances',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'Improper handling of the `--exec` flag in `git '
"rebase` during 'Rebase before merging' operations"}