Critical Vulnerability in Gogs Allows Authenticated Users to Execute Arbitrary Code
A significant security flaw has been identified in Gogs, a widely-used open-source Git service, which permits authenticated users to execute arbitrary code under specific conditions. This vulnerability has been assigned a CVSS score of 9.4 by Rapid7, indicating its critical nature, though it currently lacks a CVE identifier.
Security researcher Jonah Burgess from Rapid7 explains that the flaw enables any authenticated user to achieve remote code execution (RCE) on the server. This is accomplished by creating a pull request with a malicious branch name that injects the `–exec` flag into the `git rebase` command during the ‘Rebase before merging’ operation.
Understanding the ‘git rebase’ Command:
The `git rebase` command is utilized to integrate changes from one branch into another by replaying a sequence of commits. Unlike `git merge`, which combines histories, `git rebase` rewrites the project history by creating new commits for each commit in the original branch. An important feature of `git rebase` is the `–exec` flag, which allows the execution of a specified shell command after each commit is replayed.
Exploitation Details:
Exploiting this vulnerability does not require administrative privileges or interaction with other users. An unauthenticated attacker can create an account and repository on any default-configured Gogs instance. By enabling rebase merging—a simple toggle in the repository settings—the attacker can execute the exploit without further user interaction.
In scenarios where repository creation is restricted, an attacker with write access to an existing repository that has rebase merging enabled can exploit the flaw directly to achieve code execution.
Potential Impact:
Successful exploitation of this vulnerability could allow an attacker to:
– Gain unauthorized access to the server.
– Access all repositories hosted on the instance.
– Extract credentials.
– Move laterally to other systems within the network.
– Alter the code in any hosted repository.
Additionally, this flaw could lead to cross-tenant data breaches, enabling attackers to read private repositories of other users on the same shared server. Rapid7 notes that this vulnerability affects all supported platforms, including Windows, Linux, and macOS.
Current Status and Recommendations:
As of now, the vulnerability remains unpatched, despite being reported to the Gogs maintainer on March 17, 2026. In the absence of an official fix, the following mitigations are recommended:
– Restrict User Registration: Set `DISABLE_REGISTRATION = true` in the `app.ini` configuration file to prevent untrusted users from creating accounts.
– Limit Repository Creation: Set `MAX_CREATION_LIMIT = 0` in the `app.ini` configuration file to prevent users from creating their own repositories.
– Audit Rebase Merge Settings: Review and adjust rebase merge settings to ensure they are configured securely.
Rapid7 has developed a Metasploit module that automates the full exploit chain against both Linux and Windows targets. This module supports two modes:
1. Default Mode: Creates a temporary repository under the attacker’s account, executes the exploit, and then deletes the repository.
2. Targeted Mode: Targets an existing repository where the attacker already has write and merge access.
In the default mode, the only trace left is an HTTP 500 error in the server logs. In the targeted mode, additional artifacts may remain.
Conclusion:
The discovery of this critical vulnerability in Gogs underscores the importance of proactive security measures in open-source software. Users and administrators are urged to implement the recommended mitigations promptly to protect their systems from potential exploitation.
