A critical unpatched zero-day vulnerability in Gogs — a widely used self-hosted Git platform — allows attackers to execute arbitrary code on the server remotely. With no vendor patch available and a working exploit already public, organisations running Gogs must act immediately.
What Is Gogs?
Gogs is an open-source, self-hosted Git service — similar in purpose to GitHub or GitLab, but designed to be lightweight and run on your own infrastructure. It’s popular with development teams, small businesses, and organisations that want full control over their source code without relying on cloud-hosted repositories. With approximately 50,000 GitHub stars, it has a substantial install base. Shodan currently shows over 1,100 internet-facing instances, with many more running internally behind firewalls and VPNs.
The Vulnerability: CVSS 9.4 Argument Injection
The flaw, tracked as CWE-88 (Argument Injection), carries a CVSS score of 9.4 — Critical. It exists in the Merge() function within Gogs’ source code at internal/database/pull.go. When processing a pull request rebase merge, the function passes the pull request’s base branch name directly to a git rebase command without a POSIX -- separator or any input sanitisation.
This means that a maliciously crafted branch name is interpreted by Git as a command-line argument rather than a branch name. An attacker who names a branch something like --exec=touch${IFS}/tmp/rce_proof can cause Git to execute arbitrary shell commands via sh -c after each replayed commit during the rebase operation.
Affected Versions
- Gogs 0.14.2 (current latest stable release)
- Gogs 0.15.0+dev (development build as of commit b53d3162)
- All prior versions supporting the rebase merge style
In short: every currently available version of Gogs is vulnerable.
How Easy Is It to Exploit?
Very. On a Gogs instance with default registration enabled — which is the default configuration — the attack requires no existing credentials. An attacker can:
- Register a free account (no admin action required)
- Create a repository
- Create a branch with a malicious name containing Git flags and shell commands
- Open a pull request using that branch
- Trigger the rebase merge operation
The commands execute with the privileges of the Gogs server process — typically the git user — giving the attacker a foothold on the server that can be used for further privilege escalation, data exfiltration, or persistent access.
Making matters considerably worse, a fully functional Metasploit module has been published, automating the entire exploit chain. This means exploitation is now trivial and can be executed in seconds by anyone with basic familiarity with security tooling.
No Patch Available
Rapid7 disclosed this vulnerability to the Gogs maintainers on 17 March 2026. Despite multiple follow-up attempts through May 2026, no fix has been released. The vulnerability was publicly disclosed without a vendor patch in place — a situation known as a zero-day — because the coordinated disclosure window elapsed with no response from the maintainers.
There is currently no patched version to upgrade to. Organisations must rely on configuration-level mitigations until the maintainers release a fix.
Immediate Mitigations
If you run Gogs, apply these configuration changes in your app.ini file immediately:
Disable Open Registration
Setting DISABLE_REGISTRATION = true prevents unauthenticated users from creating accounts. This removes the easiest attack path — an external attacker exploiting the flaw requires a valid account to create repositories and open pull requests. Restricting registration to administrator-created accounts significantly raises the bar.
Restrict Repository Creation
Setting MAX_CREATION_LIMIT = 0 prevents non-admin users from creating new repositories, further limiting the ability to set up the conditions required to trigger the vulnerability.
Audit Rebase Merge Settings
Review all existing repositories — particularly those with external contributors — for the “Rebase before merging” setting. Disabling this merge style removes the specific code path that the vulnerability exploits.
Monitor for Exploitation Attempts
Check Gogs server logs for ERROR-level entries containing patterns like git checkout '--exec=<...>': exit status 128. This pattern indicates an attempted or failed exploitation of the argument injection flaw.
Consider Whether Gogs Is the Right Platform
This vulnerability highlights a broader risk with smaller open-source projects: the maintainer capacity to respond to critical security disclosures in a timely manner. Gogs received a critical security report in March and has not published a fix or even a public acknowledgement after more than two months. For organisations where source code security is important — and it should be for every software team — this may be a prompt to evaluate whether a more actively maintained alternative (Gitea, GitLab Community Edition, or a cloud-hosted service) better suits their security requirements.
BIT Tech and Development Infrastructure Security
BIT Tech IT Solutions helps businesses manage and secure their development infrastructure, including self-hosted Git platforms, CI/CD pipelines, and code repositories. If you’re running Gogs or other self-hosted development tools and want to assess your exposure, contact our team.
