Critical Zero-Day Flaw Found in Gogs Git Service

A critical-severity zero-day vulnerability in the self-hosted Git service Gogs allows unauthenticated attackers to achieve remote code execution (RCE) on internet-facing servers. According to Rapid7, the flaw, which has been assigned a CVSS score of 9.4, enables attackers to execute arbitrary code with the privileges of the Gogs server process. The vulnerability stems from an argument injection issue within the “Rebase before merging” operation.

How the Gogs Vulnerability Works

The security flaw exists because the Gogs merge function passes branch names to the `git rebase` command without sufficient sanitization. An attacker can exploit this by creating a malicious pull request containing a branch name that injects the `–exec` flag.

According to Rapid7 senior security researcher Jonah Burgess, the exploit chain is highly accessible. Because Gogs instances often ship with open registration enabled by default and no restrictions on repository creation, an attacker can create an account, generate a repository, and enable the “Rebase before merging” setting. Once these conditions are met, the attacker can execute code remotely without requiring interaction from other users or administrative privileges.

Impact on Gogs Servers

Successful exploitation of this vulnerability gives attackers significant control over a compromised server. Beyond executing arbitrary code, an attacker can:

* Read all repositories hosted on the instance, including private ones.
* Extract sensitive credentials, such as password hashes, API tokens, SSH keys, and 2FA secrets.
* Modify the source code of any hosted repository.
* Pivot to other systems accessible within the local network.

Rapid7 notes that while the vulnerability requires basic user privileges, the default configuration of many Gogs instances makes this barrier to entry negligible.

Mitigation and Patching

Gogs maintainers released version 0.14.3 on June 7, 2026, to address the flaw. Rapid7 strongly recommends that all Gogs users upgrade their instances immediately.

For administrators unable to patch their systems right away, Rapid7 suggests the following defensive measures:

* Restrict User Registration: Set `DISABLE_REGISTRATION = true` in the `app.ini` file to prevent unauthorized users from creating accounts.
* Limit Repository Creation: Set `MAX_CREATION_LIMIT = 0` in `app.ini` to prevent users from creating their own repositories, which cuts off the primary attack path.
* Audit Merge Settings: While “Rebase before merging” can be disabled per repository, this is not a comprehensive fix if a malicious user has write access to a repository, as they can simply re-enable the setting.

Gogs Security History

This incident follows a pattern of argument-injection vulnerabilities within the Gogs platform. While this specific flaw affects a code path that had not been previously addressed, Burgess noted its similarity to other documented flaws including CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930.

Gogs, which is written in Go, is designed to be a lightweight alternative to platforms like GitHub Enterprise or GitLab. Because it is often deployed in internet-facing environments for remote collaboration, maintaining updated versions is essential for protecting against these types of command execution vulnerabilities.