Vulnerabilities Discovered in Forgejo Following Carrot Disclosure

Vulnerabilities Discovered in Forgejo Following Carrot Disclosure

First seen 30 Apr 2026, 20:35 UTC News.Ycombinatorcodeberg.orgforgejo.org 83% similarity 54.9

Article Content

Browse articles
ThreatCluster

A security researcher identified multiple vulnerabilities in Forgejo, a software platform used by Fedora, including SSRF, cryptographic issues, and authentication flaws. The researcher was able to chain these vulnerabilities to achieve remote code execution (RCE) and other exploits, although the RCE relies on non-default configurations. The researcher opted for a 'Carrot Disclosure' approach, publishing a redacted exploit to encourage Forgejo to improve its security posture. Following this disclosure, the researcher engaged in discussions with Forgejo's security team, providing recommendations and proof-of-concept exploits. The situation remains dynamic as Forgejo's response is awaited.

Key Points: • Multiple vulnerabilities, including SSRF and RCE, found in Forgejo. • Researcher used 'Carrot Disclosure' to incentivize security improvements. • Forgejo's response to the disclosure is currently pending.

ThreatCluster AI

Timeline

2026-04-28
Researcher published vulnerabilities in Forgejo.
2026-04-30
Researcher contacted Forgejo security team with recommendations.

Community

Browse all →