New Gogs zero-day flaw lets hackers get remote code execution
Unpatched Gogs zero-day RCE flaw exploitable by authenticated users via argument injection.
Summary
A critical zero-day vulnerability in the Gogs self-hosted Git service allows authenticated attackers to achieve remote code execution through argument injection in pull request branch names during rebase merge operations. The flaw affects Gogs 0.14.2 and 0.15.0+dev, and exploits default configurations where open registration and unlimited repository creation are enabled. Gogs maintainers have not patched the vulnerability despite acknowledgment on March 28, despite initial report on March 17, leaving over 2,400 exposed instances at risk.
Full text
New Gogs zero-day flaw lets hackers get remote code execution By Sergiu Gatlan May 28, 2026 10:25 AM 0 An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances. Designed as an alternative to GitHub Enterprise or GitLab and written in Go, Gogs is often exposed online for remote collaboration. This critical severity argument injection security flaw has yet to be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authenticated attackers without admin privileges. However, even though it requires basic user privileges to exploit, Rapid7 senior security researcher Jonah Burgess (who discovered the flaw) said the vulnerability affects all Gogs servers with default configurations. "Since Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance," Burges warned on Thursday. "Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user." Successful exploitation allows attackers to execute arbitrary code remotely as the Gogs server process user via pull requests that use a malicious branch name to inject the --exec flag into git rebase during the "Rebase before merging" merge operation. They can abuse this security flaw "to compromise the server, read every repository on the instance (including other users' private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository's code." Burges added that this vulnerability is similar to other argument injection flaws (e.g., CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930) addressed by Gogs in recent years, but affects a different code path (Merge()) that was never patched. The researcher reported the security flaw to the Gogs maintainers on March 17, but they have yet to provide a patch or respond to further requests for a status update, despite acknowledging the report on March 28. Internet security watchdog Shadowserver now tracks over 2,400 Gogs servers exposed online, most of them in Asia (1,894) and Europe (319), while Shodan found just over 1,000 IP addresses with a Gogs fingerprint. Gogs servers exposed online (ShadowServer) In early December, the Gogs security team patched another Gogs RCE vulnerability (CVE-2025-8110) that was exploited in zero-day attacks to compromise hundreds of servers. "Many of these instances are configured with 'Open Registration' enabled by default, creating a massive attack surface," Wiz security researchers (who reported the flaw) said at the time. Wiz Research discovered CVE-2025-8110 while investigating a compromised Internet-facing Gogs server in July and reported the flaw to Gogs maintainers on July 17. They acknowledged Wiz's report three months later, on October 30, and released CVE-2025-8110 patches in early January. On January 12, CISA confirmed Wiz's report that the CVE-2025-8110 was under active exploitation and added the security flaw to its catalog of vulnerabilities exploited in the wild, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their servers by February 2. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned at the time. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacksMax-severity flaw in ChromaDB for AI apps allows server hijackingKnowledgeDeliver flaw exploited as a zero-day to install web shells18-year-old NGINX vulnerability allows DoS, potential RCENew critical Exim mailer flaw allows remote code execution
Indicators of Compromise
- cve — CVE-2024-39933
- cve — CVE-2024-39932
- cve — CVE-2026-26194
- cve — CVE-2024-39930
- cve — CVE-2025-8110