### Gogs RCE Vulnerability: A Deep Dive Security researcher Jonah Burgess of **Rapid7** disclosed a critical vulnerability in **Gogs**, an open-source self-hosted Git service. The flaw allows any authenticated user to achieve remote code execution (RCE) on the server. The vulnerability stems from the ability to inject the `--exec` flag into `git rebase` during the 'Rebase before merging' operation by creating a pull request with a malicious branch name. **Rapid7** rates the vulnerability at 9.4 on the CVSS scoring system. ### Understanding the Attack Vector The attack leverages the `git rebase` functionality, which integrates changes from one branch into another. The `--exec` flag allows for the execution of shell commands after each commit is replayed during the rebase operation. Importantly, exploiting this vulnerability does not require administrative privileges or any interaction from other users. An attacker can simply create an account and a repository on a default-configured **Gogs** instance to initiate the attack. Burgess explains, "Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user." ### Alternative Attack Scenario In scenarios where rebase merging is already enabled on a repository, a user with write access can directly exploit the flaw to gain code execution. However, on **Gogs** instances where repository creation is restricted, an attacker must possess write access to a repository with rebase merging enabled. ### Unpatched Vulnerability and Potential Impact As of this writing, the vulnerability remains unpatched despite being reported to the maintainer on March 17, 2026. Successful exploitation could allow an attacker to: * Breach the server * Access all repositories on the instance * Dump credentials * Move laterally to other network-accessible systems * Tamper with the code of any hosted repository Furthermore, the vulnerability could lead to a cross-tenant data breach, exposing other users' private repositories hosted on the same server. The flaw affects all supported platforms, including Windows, Linux, and macOS. ### Mitigation Strategies With an estimated 1,141 internet-facing **Gogs** instances, and many more behind VPNs or internal networks, the potential impact is significant. In the absence of an official patch, the following mitigations are recommended: * Restrict user registration (`DISABLE_REGISTRATION = true` in `app.ini`) * Restrict repository creation (`MAX_CREATION_LIMIT = 0` in `app.ini`) * Audit rebase merge settings ### Metasploit Module Available **Rapid7** has released a **Metasploit** module that automates the exploit chain against both Linux and Windows targets. The module supports two modes: 1. Creating a temporary repository under the attacker's account, running the exploit, and deleting the repository. 2. Targeting an existing repository to which the attacker has write and merge access. Burgess notes, "When the attacker creates and deletes their own repository, the only trace is an HTTP 500 in the server logs. When exploiting an existing repository, additional artifacts remain."