Back

Critical Zero-Day Vulnerability in Gogs Allows Remote Code Execution

Severity: High (Score: 72.0)

Sources: Bleepingcomputer, Cybersecuritynews, www.rapid7.com, nvd.nist.gov

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: gogs, vulnerability, rapid7, labs, critical, self-hosted, service

Severity indicators: critical, vulnerability

Summary

A critical argument injection vulnerability (CWE-88) has been discovered in Gogs, a widely used self-hosted Git service, allowing authenticated users to execute arbitrary code on the server. The flaw, identified by Rapid7's Jonah Burgess, has a CVSSv4 score of 9.4 and affects Gogs versions 0.14.2 and 0.15.0+dev, with no patch available at the time of publication. Attackers can exploit this vulnerability by creating a pull request with a malicious branch name that injects the --exec flag during the rebase merge operation. The vulnerability is particularly dangerous as Gogs instances often have open registration enabled by default, allowing unauthenticated users to create accounts and repositories. Successful exploitation can lead to full server compromise, including access to private repositories and sensitive credentials. Despite being reported to Gogs maintainers on March 17, no patch has been released as of May 28, 2026. The vulnerability is similar to previous argument injection flaws but affects a different code path. Key Points: • Critical argument injection vulnerability in Gogs allows RCE for authenticated users. • No patch available; the vulnerability affects Gogs versions 0.14.2 and 0.15.0+dev. • Open registration by default enables unauthenticated users to exploit the flaw easily.

Detailed Analysis

**Impact** All Gogs instances running versions 0.14.2 and 0.15.0+dev are affected, with all prior versions supporting "Rebase before merging" likely vulnerable. Over 1,100 internet-facing instances were identified via Shodan, with Shadowserver tracking more than 2,400 globally, predominantly in Asia and Europe. Organizations, universities, and teams using Gogs as a shared Git hosting platform face risks of full server compromise, cross-tenant data breaches including private repositories, credential theft (password hashes, API tokens, SSH keys, 2FA secrets), lateral movement, and supply chain attacks through repository code modification. **Technical Details** The vulnerability is a critical argument injection (CWE-88) allowing authenticated users to achieve remote code execution by injecting the `--exec` flag into `git rebase` during the "Rebase before merging" operation via malicious branch names. Exploitation requires no admin privileges and can be performed entirely within the attacker’s own repository. The flaw affects all platforms and installation methods, including Docker and binary deployments. No CVE ID has been assigned yet; the vulnerability was reported on March 17, 2026, and remains unpatched. Related past CVEs include CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930. **Recommended Response** No patch is currently available; organizations should immediately disable "Rebase before merging" in Gogs settings and restrict open registration (set `DISABLE_REGISTRATION = true`) and repository creation limits (`MAX_CREATION_LIMIT` to a positive integer). Monitor for suspicious pull requests with unusual branch names and anomalous git rebase activity. Limit write access to trusted users only and isolate Gogs servers from sensitive network segments. Maintain heightened vigilance for lateral movement and credential theft indicators.

Source articles (5)

  • New Gogs zero — Bleepingcomputer · 2026-05-28
    An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances. Designed as an alternative to GitHub Enter…
  • Burges warned — www.rapid7.com · 2026-05-28
    Rapid7 Labs discovered a critical argument injection ( CWE-88 ) vulnerability in Gogs , a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical). T…
  • New Gogs 0 — Cybersecuritynews · 2026-05-28
    A critical zero-day vulnerability has been discovered in Gogs, one of the most widely deployed self-hosted Git platforms in the world, allowing any authenticated user to execute arbitrary commands on…
  • CVE-2024-39933 — nvd.nist.gov · 2026-05-28
  • CVE-2024-39932 — nvd.nist.gov · 2026-05-28

Timeline

  • 2024-07-04 — CVE-2024-39930 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2024-07-04 — CVE-2024-39932 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2024-07-04 — CVE-2024-39933 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2025-12-10 — CVE-2025-8110 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-03-05 — CVE-2026-26194 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-03-17 — Vulnerability reported to Gogs maintainers: Jonah Burgess reported the critical flaw to Gogs maintainers, who acknowledged it on March 28.
  • 2026-05-28 — Vulnerability disclosed publicly: Rapid7 disclosed the zero-day vulnerability in Gogs, highlighting its critical nature and lack of a patch.

CVEs

  • CVE-2024-39930
  • CVE-2024-39932
  • CVE-2024-39933
  • CVE-2025-8110
  • CVE-2026-26194

Related entities

  • Data Breach (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • CWE-862 - Missing Authorization (Cwe)
  • CWE-88 - Argument Injection (Cwe)
  • advanced.by (Domain)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1059.004 - Unix Shell (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • Gogs (Company)
  • Linux (Platform)
  • MacOS (Platform)
  • Windows (Platform)
  • Metasploit (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed