
An unpatched vulnerability in the Git service Gogs allows authenticated users to execute code on servers. Rapid7 publishes an exploit module.
The cross-platform open-source service Gogs, which is used worldwide as a self-hosted alternative for the Git software version control system, contains a serious security vulnerability. The IT security company Rapid7 published forensic details about this system error in late May 2026, which allows remote attackers to execute arbitrary code on the underlying server under certain conditions.
In the Common Vulnerability Scoring System, the threat is classified as critical with a value of 9.4. An official CVE identifier is not yet available for the system error. According to the analysts, all operating system platforms supported by the software are affected, which includes Windows, Linux, and macOS. The error affects the fundamental mechanisms of access control and automated processing of code merging within the service.
The technical process of code injection via Git rebase
The security vulnerability is based on insufficient validation of user input when processing code branches. A central component of Git workflows is merging code changes via pull requests. Gogs offers the convenience feature of rebasing before merging. In the classic Git rebase command, individual commits from a feature branch are detached and applied linearly to another base branch to maintain a clean history of the software project.
During this process, the Git software optionally accepts the administrative argument –exec, through which a shell command can be defined that is automatically executed after each successful application of a commit. Security researcher Jonah Burgess discovered that the input fields in Gogs do not adequately sanitize branch names. An attacker can thereby create a branch name that contains this malicious argument.
“The vulnerability allows any authenticated user to achieve remote code execution on the server by creating a pull request with a malicious branch name that injects the –exec flag during the rebase merge operation in git rebase.”
Rapid7
Low attack barriers and impacts on shared server environments
A significant risk factor of this vulnerability lies in the extremely low barriers for successful exploitation. The attacker requires no administrative privileges within the Gogs instance, and no interaction with other legitimate users of the system is required. In the default configuration of the Git service, it is sufficient if an anonymous actor registers a new user account on a publicly accessible instance. Every registered user has the default right to create their own code repositories and is automatically registered as their owner.
In the repository settings, the rebase function can be enabled via a simple button, allowing the entire attack chain to be executed without external approvals. In more restrictive environments where normal users are blocked from independently creating repositories, a potential attacker requires only write access to an existing repository where the rebase option has been enabled by the administrator.
According to estimates by security researchers, at least 1,141 Gogs instances directly accessible via the Internet are affected by this problem worldwide. However, the actual number of endangered installations is likely to be significantly higher, as a large portion of enterprise environments operate behind virtual private networks or within isolated internal corporate networks.
Missing security updates and action recommendations
Despite the severity of the problem and the fact that the vulnerability was reported to the maintainers of the open-source software on March 17, 2026, no official patch is available as of late May 2026. Until the release of a corrected software update, administrators must implement manual protective measures. To minimize the risk of infiltration across the enterprise infrastructure, it is strongly recommended to completely disable user registration in the central configuration file app.ini via the parameter DISABLE_REGISTRATION = true.
Additionally, the creation of new repositories should be blocked via the command MAX_CREATION_LIMIT = 0 for incompletely verified accounts. Existing repositories must undergo forensic review of their rebase merge settings. The situation is aggravated by Rapid7’s publication of an automated Metasploit module. This module automates the entire process for attacks on Linux and Windows systems by creating temporary repositories or exploiting existing access, which often leaves only a generic HTTP 500 error code as a digital footprint in the server log when deleted.
Tags: #Cyber Security | #Security Vulnerability
Original source: www.it-daily.net
Imported via Lumi AI News on June 2, 2026. Marked in accordance with Art. 50 EU AI Act: AI-assisted curation.