What's Happening?
A significant security vulnerability has been identified in Gogs, an open-source self-hosted Git service, which permits any authenticated user to execute arbitrary code. This flaw, rated 9.4 on the CVSS scale, does not have a CVE identifier. According
to security researcher Jonah Burgess, the vulnerability can be exploited by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the 'Rebase before merging' operation. This action does not require administrative privileges or interaction with other users. The vulnerability affects all supported platforms, including Windows, Linux, and macOS. Despite being reported on March 17, 2026, the issue remains unpatched.
Why It's Important?
The vulnerability poses a severe risk to the security of Gogs instances, potentially allowing attackers to breach servers, access repositories, and compromise sensitive data. This could lead to cross-tenant data breaches, enabling attackers to read private repositories hosted on shared servers. The flaw's impact is widespread, affecting an estimated 1,141 internet-facing Gogs instances, with the actual number likely higher due to deployments behind VPNs or internal networks. The lack of a patch increases the urgency for users to implement recommended security measures to mitigate potential exploitation.
What's Next?
In the absence of a patch, users are advised to restrict user registration and repository creation to prevent unauthorized account creation and repository manipulation. Additionally, auditing rebase merge settings is recommended. Rapid7 has developed a Metasploit module to automate the exploit chain, highlighting the need for immediate action to secure affected systems. Organizations using Gogs should prioritize these security measures to protect their infrastructure and data from potential attacks.
