"The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the 'Rebase before merging' merge operation," security researcher Jonah Burgess said.
How the bug works: git rebase, the --exec flag, and injected branch names
Rapid7 and researcher Jonah Burgess describe a chain that leverages git's own --exec argument to achieve remote code execution on Gogs instances. The attack injects the --exec flag into a git rebase operation during a "Rebase before merging" workflow: a specially crafted branch name placed in a pull request causes git rebase to run an attacker-controlled shell command after each commit is replayed.
Rebasing, the report notes, rewrites project history by creating new commits for each original commit; the --exec flag exists to run a shell command after each replayed commit. When an attacker can cause that flag to be supplied to git rebase through a branch name, the server executes arbitrary commands as part of the rebase process.
Attack prerequisites and exploitation paths
Two exploitation scenarios are described. The first requires only a registered account on a default-configured Gogs instance: "Any registered user who creates a repo is automatically its owner," Burgess said. With repository creation allowed and rebase merging enabled—a single toggle in settings—an attacker can create a repository, enable rebase merging, push a malicious branch, open a pull request, and trigger command execution without interacting with other users or having admin privileges.
The alternative scenario applies where repository creation is restricted: an attacker who already has write access to a repository that has rebase merging enabled can use that access directly to trigger the same chain and obtain code execution.
Scope and impact: platforms, instances, and potential damage
Rapid7 rates the flaw 9.4 on the CVSS scale and reports it has no CVE identifier. The company says the vulnerability affects all supported platforms: Windows, Linux, and macOS. Exploitation could allow an attacker to breach the server, access every repository on the instance, dump credentials, move laterally to other network-accessible systems, and modify any hosted repository's code. Rapid7 also warns of cross-tenant data breaches that could expose private repositories on the same shared server.
The report notes an estimated 1,141 internet-facing Gogs instances; that figure is likely an underestimate because many deployments sit behind VPNs or on internal networks.
Mitigations, configuration changes, and tooling available
Because the vulnerability remains unpatched as of this article—Rapid7 reported it to the maintainer on March 17, 2026—the advisory lists configuration controls administrators can apply immediately. Recommended actions include disabling open registration (DISABLE_REGISTRATION = true in app.ini), preventing users from creating repositories (MAX_CREATION_LIMIT = 0 in app.ini), and auditing repositories for rebase merge being enabled.
Rapid7 has also released a Metasploit module that automates the exploit against both Linux and Windows targets. The module supports two modes: a default mode that creates a temporary repository under the attacker's account, runs the exploit, and deletes the repository; and a mode that targets an existing repository where the attacker already has write and merge access.
Rapid7 notes differences in forensic traces: when an attacker creates and deletes their own repository, the only log artifact is an HTTP 500 in the server logs; exploiting an existing repository leaves additional artifacts.
What this means for repository administrators, security teams, and end users
- Repository administrators: Review and, where appropriate, disable rebase merging on public or multi-tenant instances. Immediately apply the configuration workarounds—DISABLE_REGISTRATION = true and MAX_CREATION_LIMIT = 0—if you cannot patch.
- Security teams and incident responders: Treat the presence of unexplained HTTP 500 errors on a Gogs server as a potential indicator of this exploitation technique and prioritize forensic review of recent merges and repository-creation activity.
- End users and developers with write access: Be aware that write access combined with rebase-merge enabled can be sufficient for exploitation; consider limiting merge privileges and auditing who can push and merge to critical repositories.
The disclosure, high CVSS score, and the availability of an automated Metasploit module together leave little doubt that unpatched, default-configured instances are at acute risk. The vulnerability was reported to the Gogs maintainer on March 17, 2026, and remained unpatched as of this writing; administrators who cannot immediately apply a vendor patch should follow the listed mitigations and monitor server logs closely.
