Skip to content
Tech News
← Back to articles

New Gogs zero-day flaw lets hackers get remote code execution

2026-05-28 | original
read original get Gogs Self-Hosting Git Service → more articles
Why This Matters

The discovery of a zero-day vulnerability in Gogs highlights the ongoing security challenges faced by self-hosted development tools, especially as they are widely used for remote collaboration. This flaw underscores the importance of timely patching and configuration security to prevent potential remote code execution and data breaches. For developers and organizations relying on Gogs, understanding and mitigating such vulnerabilities is crucial to safeguarding their repositories and infrastructure.

Key Takeaways

An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances.

Designed as an alternative to GitHub Enterprise or GitLab and written in Go, Gogs is often exposed online for remote collaboration.

This critical severity argument injection security flaw has yet to be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authenticated attackers without admin privileges.

However, even though it requires basic user privileges to exploit, Rapid7 senior security researcher Jonah Burges (who discovered the flaw) said the vulnerability affects all Gogs servers with default configurations.

"Since Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance," Burges warned on Thursday.

"Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user."

Successful exploitation allows attackers to execute arbitrary code remotely as the Gogs server process user via pull requests that use a malicious branch name to inject the "—exe"c flag into git rebase during the "Rebase before merging" merge operation.

They can abuse this security flaw "to compromise the server, read every repository on the instance (including other users' private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository's code."

Burges added that this vulnerability is similar to other argument injection flaws (e.g., CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930) addressed by Gogs in recent years, but affects a different code path (Merge()) that was never patched.

The researcher reported the security flaw to the Gogs maintainers on March 17, but they have yet to provide a patch or respond to further requests for a status update, despite acknowledging the report on March 28.

... continue reading

Explore topics: gogs zero-day git remote code execution rapid7
Related:
Call of Duty: Modern Warfare 4 is official, and it's coming to Switch 2
Are designers the new SWEs? Figma Make's new two-way GitHub integration turns designs into live, production code — with built-in governance
EU fines Temu $232 million for selling illegal products
Commission fines Temu €200M for breaching the Digital Services Act
Here’s why change is so exhausting, according to neuroscience

© 2026 GoKawiil

About | Editorial Policy | Contact