www.rapid7.com
Critical Zero-Day Vulnerability in Gogs Allows Remote Code Execution
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A critical argument injection vulnerability (CWE-88) has been discovered in Gogs, a widely used self-hosted Git service, allowing authenticated users to execute arbitrary code on the server. The flaw, identified by Rapid7's Jonah Burgess, has a CVSSv4 score of 9.4 and affects Gogs versions 0.14.2 and 0.15.0+dev, with no patch available at the time of publication. Attackers can exploit this vulnerability by creating a pull request with a malicious branch name that injects the --exec flag during the rebase merge operation. The vulnerability is particularly dangerous as Gogs instances often have open registration enabled by default, allowing unauthenticated users to create accounts and repositories. Successful exploitation can lead to full server compromise, including access to private repositories and sensitive credentials. Despite being reported to Gogs maintainers on March 17, no patch has been released as of May 28, 2026. The vulnerability is similar to previous argument injection flaws but affects a different code path.
Key Points: • Critical argument injection vulnerability in Gogs allows RCE for authenticated users. • No patch available; the vulnerability affects Gogs versions 0.14.2 and 0.15.0+dev. • Open registration by default enables unauthenticated users to exploit the flaw easily.