Neues Gogs-0-Day-Löschloch ermöglicht Angreifern Fernausführung bösartiger Code auf Servern

All prior versions supporting the rebase merge style are also likely vulnerable. Gogs 0-Day Vulnerability The exploit targets the Merge() function in internal/database/pull.go, which passes pull request base branch names directly to a git rebase command without a POSIX -- separator or proper argument sanitization.

An attacker crafts a malicious branch name such as --exec=touch${IFS}/tmp/rce_proof and opens a pull request using that branch. When the rebase merge is triggered, Git’s argument parser interprets --exec as a flag rather than a branch name, causing Git to run the attacker-controlled command via sh -c after each replayed commit.

The result is arbitrary command execution running as the Gogs server process user — typically git on both Docker and binary installations. What makes this especially dangerous is the low barrier to entry.

Sicherheitslage und Risiko

Gogs ships with open user registration and unlimited repository creation enabled unauthenticated attacker can register an account, create a repository, enable rebase merging in settings, and launch the full exploit chain entirely within their own account, requiring no interaction from any other user and no administrative privileges, Jonah Burgess said.

The practical consequences of a successful exploit are severe: Server compromise via arbitrary command execution as the Gogs process user Cross-tenant data breach — read every repository on the instance, including private repos from other users Credential theft — dump password hashes, API tokens, SSH keys, and 2FA secrets from the database Lateral movement to other systems reachable from the server’s network Supply chain attacks — silently modify any hosted repository’s code, bypassing audit logging Gogs has approximately 50,000 GitHub stars and over 5,000 forks, and a Shodan search at the time of publication revealed 1,141 internet-facing instances with the real install base far larger due to internal and VPN-protected deployments.

A fully functional Metasploit module has been published, making exploitation trivial and automatable in seconds. Defenders should monitor Gogs server logs for ERROR-level entries containing patterns like git checkout '--exec= ': exit status 128.

Sicherheitslage und Risiko

Administrators should also audit repository branch listings for names beginning with --, check user token lists at /-/user/settings/applications for unexpected msf_ entries, and inspect PR histories on sensitive repositories. Mitigations No vendor patch exists.

Until one is released, organizations should apply these mitigations immediately: Set DISABLE_REGISTRATION = true in app.ini to block untrusted account creation Set MAX_CREATION_LIMIT = 0 to prevent users from creating new repositories Audit all repositories for the “Rebase before merging” setting, especially on repos with external contributors Rapid7 first reported this vulnerability to Gogs maintainers on March 17, 2026.

Despite multiple ups through May 2026, no fix has been delivered.