A critical, unpatched vulnerability in Gogs, the open-source self-hosted Git service, can let an authenticated user execute arbitrary code on a server under certain conditions, according to a technical analysis from Rapid7. The flaw is rated 9.4 on the CVSS scale and does not yet have a CVE identifier.
KEY FACTS
- Impact Authenticated users can trigger remote code execution on affected servers.
- Trigger The issue involves a malicious branch name that injects the –exec flag during rebase merging.
- Access needed No admin rights are required, and in some cases a default account and repository setup is enough.
- Status The disclosure says the flaw was reported on March 17, 2026 and remains unpatched.
The report says the attack works when a pull request is created and the branch name is crafted to alter how git rebase runs during the Rebase before merging option. Because the rebase command accepts an –exec argument, the injected input can lead to command execution after commits are replayed.
Rapid7 said the flaw can be used by any registered user who creates a repository on a default-configured instance. In that case, the user becomes the repository owner and can enable rebase merging from settings, removing the need for interaction from other users. A separate path exists when an attacker already has write access to a repository with rebase enabled.
The disclosure says successful exploitation could allow an attacker to breach the server, access all repositories on the instance, dump credentials, move to other network-accessible systems, and tamper with hosted code. It also could expose private repositories belonging to other users on the same shared server. Rapid7 said the issue affects Windows, Linux, and macOS.
Rapid7 estimated there are about 1,141 internet-facing Gogs instances, although the real number may be higher because many deployments sit behind VPNs or internal networks. The company also released a Metasploit module that automates the exploit chain on Linux and Windows targets.
WHY IT MATTERS
The flaw can turn a routine repository action into server-level code execution, which raises the risk of data theft and repository tampering on self-hosted Git services. Until a patch is available, administrators are advised to restrict registration, limit repository creation, and review rebase merge settings.