**Gogs** has released a patch for a critical security zero-day flaw that could allow attackers to compromise internet-facing instances and access any repositories, including private ones. This argument injection vulnerability, which has yet to be assigned a CVE ID, can be exploited by authenticated attackers without admin privileges. Attackers leveraging this flaw can compromise the targeted server, read private repositories, steal credentials, move laterally within the network, and alter hosted source code. ### Exploitation Path **Rapid7** security researcher **Jonah Burgess**, who discovered and reported the flaw, highlighted that it affects all **Gogs** servers with default configurations, despite requiring basic user privileges for exploitation. "Since **Gogs** ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance," **Burgess** warned two weeks prior to the patch release. He further explained, "Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user." ### Patch and Mitigation Over the weekend, 10 days after **Rapid7** publicly disclosed the vulnerability due to a lack of response to multiple status updates, the **Gogs** maintainers released version 0.14.3 on June 7 to patch this flaw and requested a CVE ID. **Rapid7** strongly recommends that all **Gogs** users upgrade immediately. The fix was implemented via pull request #8301. For users unable to patch their **Gogs** instances immediately, **Rapid7** shared critical mitigation measures: * **Restrict user registration**: Set `DISABLE_REGISTRATION = true` in `app.ini` to prevent untrusted users from creating accounts. This is the most impactful mitigation, as the exploit is self-contained within a single user's repository. * **Restrict repository creation**: Set `MAX_CREATION_LIMIT = 0` in `app.ini` to prevent users from creating their own repositories. This can also be set per-user via "Max Repo Creation" in the admin panel. While this blocks the easiest attack path, it does not prevent exploitation by users with write access to existing repositories. * **Audit rebase merge settings**: Disabling "Rebase before merging" per-repo under Settings > Advanced is an option, but it's not an effective defense against a malicious user who owns or has admin access to a repo, as they can re-enable rebase at will. ### Widespread Exposure Written in Go and designed as an alternative to **GitHub Enterprise** or **GitLab**, **Gogs** is frequently exposed online as a remote collaboration platform. Internet security watchdog **Shadowserver** currently tracks over 2,300 Internet-exposed **Gogs** servers, with the majority located in Asia (1,839) and Europe (312). Separately, **Shodan** lists just over 1,000 IP addresses with a **Gogs** fingerprint.  ### A Pattern of Flaws **Burgess** noted that this latest flaw is very similar to other argument-injection vulnerabilities that the **Gogs** security team has patched in recent years, including **CVE-2024-39933**, **CVE-2024-39932**, **CVE-2026-26194**, and **CVE-2024-39930**. However, this new vulnerability affects a different code path (`Merge()`) that had not been previously addressed. In early December 2026, **Gogs** patched another RCE vulnerability, **CVE-2025-8110**, after it was actively exploited in zero-day attacks to compromise hundreds of servers. **Wiz** security researchers, who reported that flaw, stated, "Many of these instances are configured with 'Open Registration' enabled by default, creating a massive attack surface." On January 12, 2026, **CISA** confirmed that **CVE-2025-8110** was being abused in the wild and added it to its catalog of actively exploited vulnerabilities. **CISA** ordered Federal Civilian Executive Branch (FCEB) agencies to secure their servers within three weeks, by February 2. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," **CISA** warned at the time.