Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
Rapid7 Labs, Thursday, May 28th, 2026
Critical argument injection vulnerability in Gogs allows authenticated users to achieve RCE via malicious branch names in rebase merges.
Rapid7 Labs discovered a critical argument injection vulnerability (CVSSv4 9.4) in Gogs, a popular open-source self-hosted Git service, that allows any authenticated user to achieve remote code execution on the server.
The vulnerability exploits the 'Rebase before merging' feature by injecting the --exec flag into git rebase through a maliciously crafted branch name, requiring no admin privileges or user interaction.
Since Gogs enables open registration and repository creation by default, unauthenticated attackers can create accounts and exploit the vulnerability, leading to complete server compromise, data breaches across all repositories, credential theft, and supply chain attacks. At the time of publication, no patch had been released, and the vulnerability affects all supported platforms and versions including Gogs 0.14.2 and 0.15.0+dev.