**Gogs**, designed as a **GitHub Enterprise** or **GitLab** alternative and written in Go, is often exposed online for remote collaboration. This makes it a prime target for attackers. ### The Vulnerability This critical severity argument injection security flaw has yet to be assigned a **CVE** ID. It impacts the latest release versions (**Gogs 0.14.2** and **0.15.0+dev**). According to **Rapid7** senior security researcher **Jonah Burgess**, the vulnerability affects all **Gogs** servers with default configurations. "Since **Gogs** ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance," **Burgess** warned. Essentially, any registered user who creates a repository automatically becomes its owner. Enabling rebase merging becomes a simple toggle in settings, allowing the entire exploit chain to be executed without further user interaction. ### Impact Successful exploitation allows attackers to execute arbitrary code remotely as the **Gogs** server process user. This is achieved through pull requests that use a malicious branch name to inject the `--exec` flag into `git rebase` during the "Rebase before merging" operation. Attackers can leverage this flaw to: * Compromise the server. * Read every repository on the instance (including other users' private repos). * Dump credentials (password hashes, API tokens, SSH keys, 2FA secrets). * Pivot to other network-accessible systems. * Modify any hosted repository's code. **Burgess** notes that this vulnerability is similar to other argument injection flaws (e.g., **CVE-2024-39933**, **CVE-2024-39932**, **CVE-2026-26194**, and **CVE-2024-39930**) previously addressed by **Gogs**, but affects a different code path (`Merge()`) that remains unpatched. ### Lack of Patch and Exposure The researcher reported the security flaw to the **Gogs** maintainers on March 17th. While the report was acknowledged on March 28th, a patch has not been released, and no status updates have been provided. **Shadowserver** currently tracks over 2,400 exposed **Gogs** servers online, with a significant concentration in Asia (1,894) and Europe (319). **Shodan** identifies just over 1,000 IP addresses with a **Gogs** fingerprint.  *Gogs servers exposed online (ShadowServer)* ### Previous Vulnerabilities In December, the **Gogs** security team patched another **Gogs** RCE vulnerability (**CVE-2025-8110**) that was exploited in zero-day attacks to compromise hundreds of servers. **Wiz** security researchers, who reported that flaw, highlighted the widespread "Open Registration" configuration, which creates a substantial attack surface. **Wiz Research** discovered **CVE-2025-8110** while investigating a compromised Internet-facing **Gogs** server. After reporting the vulnerability in July, patches were released in early January. On January 12th, **CISA** confirmed active exploitation of **CVE-2025-8110** and added it to its catalog of known exploited vulnerabilities. Federal Civilian Executive Branch (FCEB) agencies were mandated to secure their servers by February 2nd. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," **CISA** warned.