Gogs released version 0.14.3 on June 7, 2026, to patch a critical argument injection zero-day vulnerability carrying a CVSS score of 9.4. The flaw enables authenticated remote code execution (RCE) via pull requests with malicious branch names that inject the --exec flag into the git rebase command. Because Gogs ships with a high-risk default configuration—including open registration and no limits on repository creation—the attack surface is massive and trivial to exploit.
- The vulnerability exists in the Gogs
Merge()function, which passes a pull request's base branch name togit rebasewithout sanitizing argument delimiters. - An authenticated attacker without administrative privileges can trigger a rebase merge on a repository they own to execute arbitrary shell commands with the privileges of the server process.
- Default Gogs settings enable open registration (
DISABLE_REGISTRATION = false) and remove repository creation limits (MAX_CREATION_LIMIT = -1), allowing unauthenticated attackers to self-register and complete the exploit chain without victim interaction. - Rapid7 has released a Metasploit module and indicators of compromise (IoCs), significantly lowering the barrier to entry for intermediate-level threat actors.
The Mechanism: Exploiting git rebase for Arbitrary Execution
The core of the vulnerability is an argument injection in the git rebase --exec command during "Rebase before merging" operations. The Gogs Merge() function receives the base branch name of a pull request and forwards it directly to git rebase. The lack of delimiter sanitization allows an attacker to craft branch names containing the --exec flag followed by shell commands.
According to a technical report from Rapid7, the exploit is triggered in three steps: account registration, repository creation, and activating the rebase merge via a single toggle in the settings. The entire chain operates without requiring interaction from other users.
As documented by Rapid7, the result is "arbitrary command execution as the Gogs server process user, giving the attacker the ability to compromise the server, read every repository on the instance (including other users' private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository's code."
A Recurring Pattern of Argument Injection
This vulnerability does not exist in a vacuum. The Gogs codebase has a history of similar flaws, with at least four previous argument injection CVEs documented in the same component responsible for parsing user input into git commands: CVE-2024-39933 (tagging, CVSS 7.7), CVE-2024-39932 (previewing changes, CVSS 9.9), CVE-2026-26194 (deleting release, CVSS 7.3, patched in 0.14.2), and CVE-2024-39930 (built-in SSH server, CVSS 9.9). These follow CVE-2025-8110, a previous zero-day exploited in the wild and added to the CISA KEV catalog.
As reported by BleepingComputer, the critical difference is that the current flaw targets a different code path—the Merge() function—which was never addressed by previous patches. The pattern suggests that while individual bugs are being fixed, the underlying architectural approach to command parsing remains vulnerable, allowing new vectors to emerge in adjacent data flows.
Global Exposure: Over 2,300 Instances Tracked
The attack surface is significant. Shadowserver currently tracks over 2,300 Gogs servers exposed to the internet, with 1,839 installations concentrated in Asia and 312 in Europe. Shodan lists just over 1,000 IP addresses with Gogs fingerprints. The exact number of vulnerable instances among those exposed is unknown, as versioning, configuration, and patch status vary by installation.
"Since Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance" — Jonah Burgess, Rapid7
Mitigation and Response
- Immediately upgrade to Gogs 0.14.3, released June 7, 2026. Rapid7’s Jonah Burgess notes: "Rapid7 recommends that all Gogs users upgrade immediately. The fix was implemented via pull request #8301."
- Verify the status of
DISABLE_REGISTRATIONandMAX_CREATION_LIMITin the instance configuration. Open registration is the primary impact multiplier that transforms an authenticated flaw into an unauthenticated vector. - Remove internal Gogs systems from the public internet where not strictly necessary, as the exploit requires only standard HTTP/HTTPS connectivity.
- Audit the rebase merge function for anomalous activity, specifically pull requests from recently registered accounts using unconventional branch names.
Why the Cycle Continues
The disclosure timeline highlights ongoing friction. Jonah Burgess reported the vulnerability in mid-March 2026. Publication followed a lack of response to follow-ups, resulting in a forced disclosure 10 days after the patch release. It remains unclear if Gogs maintainers formally responded before this escalation.
The most concerning data point remains the pattern. Four previous CVEs in the same component, identical severity scores, and the same vulnerability class: argument injection from user input to the git shell. This raises questions about whether the open-source project has the resources—human, temporal, or code-review—to perform a systematic restructuring of command parsing rather than relying on reactive fixes for individual code paths. Version 0.14.3 closes a hole, but it does not necessarily fix the logic that creates them.
With the availability of Rapid7’s Metasploit module and IoCs, the threshold for exploitation has dropped. The risk is no longer confined to advanced threat actors with proprietary reverse-engineering capabilities.
Sources
- https://www.bleepingcomputer.com/news/security/gogs-patches-critical-zero-day-enabling-remote-code-execution/
- https://www.securityweek.com/gogs-zero-day-exposes-servers-to-remote-code-execution/
- https://nvd.nist.gov/vuln/detail/CVE-2024-39933
- https://nvd.nist.gov/vuln/detail/CVE-2024-39932
- https://nvd.nist.gov/vuln/detail/CVE-2026-26194
- https://nvd.nist.gov/vuln/detail/CVE-2024-39930
- https://nvd.nist.gov/vuln/detail/CVE-2025-8110