Rapid7 Finds Unpatched Argument-Injection RCE in Gogs — Any Authenticated User Owns the Server

Gogs is the second self-hosted Git platform in a single week to ship a critical flaw that inverts the security premise of self-hosting — and unlike the Gitea CVE that preceded it, this one has no patch, only mitigations that depend on operators tightening defaults that ship wide-open.

BOSTON, MASSACHUSETTS — On May 28, 2026, Rapid7 Labs disclosed a critical argument-injection vulnerability (CWE-88) in Gogs — the popular open-source, self-hosted Git service — that allows any authenticated user to achieve remote code execution on the Gogs server. Rapid7 scores the flaw CVSSv4 9.4 (Critical). The exploit chain is short: an attacker creates a pull request whose branch name contains a payload that injects the --exec flag into git rebase during the 'Rebase before merging' merge operation, and the rebase command runs the attacker's payload via sh -c as the Gogs server process user. No admin privileges are required, no interaction with other users is required, and at the time of publication Gogs has not released a patch.

The disclosure was published on the Rapid7 blog by Senior Security Researcher Jonah Burgess. Rapid7 reported the flaw to Gogs on March 17, 2026; the maintainer acknowledged receipt on March 28 and has not provided a fix or further response despite multiple follow-ups. Rapid7 has shipped a Metasploit module that automates the full exploit chain against both Linux and Windows targets. No CVE identifier has been assigned at disclosure.

What Happened

Rapid7 Labs published the disclosure on May 28, 2026. The vulnerability is an argument-injection flaw (CWE-88) in the Merge() function inside Gogs' internal/database/pull.go module. When a user opens a pull request and the repository has 'Rebase before merging' enabled, Gogs runs git rebase against the PR's base branch name in a temporary directory — and the base branch name is taken from the URL and passed directly into the rebase command line, without the POSIX -- separator that would force everything after it to be treated as data rather than as flags. An attacker who pushes a branch named --exec=<payload> and then opens a pull request with that branch as the base ends up with git rebase --quiet '--exec=<payload>' '<headref>' on the server. Git treats --exec as a flag, runs the payload via sh -c after each replayed commit, and the attacker has remote code execution as the Gogs process user.

What makes the flaw severe in practice is the absence of preconditions. Gogs ships with open registration enabled by default and with no limit on repository creation; on any default-configured instance, an attacker can register an account, create a repository, toggle on rebase merging, push a malicious branch, open a pull request, and click merge — no other user involved. Where registration is restricted, any user with write access to a repository where rebase is enabled can exploit the same flaw. Rapid7 confirmed the bug on Gogs 0.14.2 and 0.15.0+dev (commit b53d3162) and notes that all prior versions supporting 'Rebase before merging' are likely vulnerable. The company has shipped a Metasploit module covering Linux and Windows targets. Gogs has not assigned a CVE, has not issued a patch, and — beyond an initial acknowledgement on March 28, 2026 — has not responded to Rapid7's follow-ups.

Second Self-Hosted Git Platform in a Single Week

The Gogs disclosure lands the day after a different critical flaw in a different self-hosted Git platform. On May 27, 2026, Gitea disclosed CVE-2026-27771, an unauthenticated container-image-pull authorization flaw that exposed private images on any internet-reachable Gitea below 1.26.2. Inside a single week, two of the most widely deployed self-hosted alternatives to GitHub have shipped critical, premise-inverting flaws — the Gitea one collapsing the 'private' designation on container images, the Gogs one handing remote code execution to anyone who can register an account. The shared lesson is structural: self-hosting a developer platform does not, on its own, deliver more security than the SaaS option it was chosen over. It transfers the security work onto the operator, and on platforms where defaults ship wide-open and the maintainer is slow to patch, that transfer is not an even trade. Gitea shipped a patched version the day of its advisory; Gogs has not — meaning every internet-reachable Gogs instance is sitting on a known, unpatched, weaponized RCE.

Why CVSSv4 9.4 Is the Right Score for an Authenticated Bug

CVSSv4 9.4 is an unusually high score for a flaw that nominally requires authentication, and the reason it lands at that level is that authentication on a default-configured Gogs instance is not a meaningful barrier. Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no cap on repository creation (MAX_CREATION_LIMIT = -1). An attacker on the internet can register an account, create their own repository, toggle on rebase merging in settings, push the malicious branch, and exploit the flaw entirely inside their own account — no interaction with any existing user, no admin role, no privilege escalation. The practical effect for a defender is that 'authenticated' on the affected versions means 'has an HTTP connection to the Gogs instance and is willing to fill out a sign-up form,' and the triage rating should match the CVSSv4 score, not the one-line summary.

The Trust Boundary on a Self-Hosted Git Platform Is Every Authenticated User

Even on instances where open registration is disabled, the flaw is severe because of where the trust boundary actually sits. The accounts on a typical Gogs deployment are not a small set of administrators — they are every developer, intern, contractor, CI account, and legacy service identity the organization ever provisioned. Any one of them with write access to a repository that has rebase merging enabled can fire the exploit. Successful exploitation gives the attacker direct filesystem-level read and write access to every repository on the instance — Gogs stores them under a single REPOSITORY_ROOT directory with no OS-level isolation — which means a single authenticated user can read every other user's private code, modify it without going through Gogs' audit logging, and dump the database containing password hashes, API tokens, SSH keys, and 2FA secrets for every account.

Scope and Impact

The exposure window is the entire history of any Gogs instance running a version that supports the 'Rebase before merging' merge style. Rapid7 confirmed the bug on 0.14.2 (the latest stable at research time) and on 0.15.0+dev, and notes that earlier versions supporting the same merge mode are likely vulnerable. A Shodan search for the Gogs sign-in title returns roughly 1,141 internet-facing instances at disclosure — the floor on the at-risk population, since most Gogs deployments sit behind VPNs or on internal networks. The reachable attack population, on a default-configured instance, is anyone on the internet with the willingness to register an account.

Several specifics remain genuinely open. No CVE identifier has been assigned at disclosure. There is no public reporting of in-the-wild exploitation, though the Metasploit module is public and the technique is described in full in the Rapid7 write-up. Whether the Gogs maintainer will publish a patch, and on what timeline, is unknown — Rapid7's disclosure timeline shows an initial acknowledgement on March 28, 2026, followed by no response despite follow-ups in April and May. Gogs itself has shipped three earlier argument-injection patches (CVE-2024-39930, CVE-2024-39932, CVE-2024-39933) and a fourth this year (CVE-2026-26194), each closing a different code path; the Merge() path Rapid7 disclosed today was never migrated to the safe git-module API the other fixes used.

The 2026 context tightens the urgency. The Verizon DBIR 2026 found that vulnerability exploitation just overtook credential theft as the number-one initial-access method, and GitHub's confirmation that the actor TeamPCP exfiltrated 3,800 internal repositories through a single poisoned VS Code extension demonstrated how attackers monetize access to source-control platforms once they reach them. A self-hosted Git server is the kind of asset that, in many organizations, was treated as an internal convenience whose patch SLA matched the schedule for printers; this disclosure closes that era for self-hosted developer tooling.

Response and Attribution

For any organization running Gogs on an internet-reachable host, the response is immediate and does not wait for a patch. Disable open registration by setting DISABLE_REGISTRATION = true in app.ini — the single most impactful mitigation Rapid7 lists, because it cuts off the easiest path to the 'authenticated' precondition. Restrict repository creation by setting MAX_CREATION_LIMIT = 0 (or capping it per-user via Max Repo Creation in the admin panel) so that users cannot stand up a fresh repository to exploit. Where 'Rebase before merging' is not in active use, audit and disable the setting on shared repositories — note that this is not a defense against a malicious user who owns or admins a repository, but it does reduce the surface on repos where the attacker has write access only. If the Gogs management interface does not need to be on the public internet, take it off. Where none of these steps is operationally possible, take the instance offline until a patch ships.

On detection: hunt the Gogs server logs for the error pattern Rapid7 documented — lines containing 'git checkout' followed by '--exec=' and 'unknown option `exec='. That entry fires after the RCE has already executed, because the merge attempts a later git checkout step that fails on the malicious branch name; the 500 is the audit-trail tell. On instances where exploitation has used an existing repository, additional artifacts remain: a branch name beginning with -- in the repository's branch listing, a failed pull request in the PR history, a repository stuck in a corrupted git state, and on Windows targets a committed payload file (e.g. .abcdef or .abcdef.bat) in the git history. The Metasploit module also creates a Gogs API token named msf_<hex> during exploitation, which persists after the attack because Gogs has no token-deletion API endpoint — audit /-/user/settings/applications for unexpected entries. Hunt for git rebase child processes spawning shells or arbitrary executables on Gogs hosts.

On the structural response: every self-hosted Git platform — Gogs, Gitea, GitLab CE, Forgejo, Bitbucket Server — belongs on the inventory of Tier-1 patching surfaces, on the same patch clock as production servers. The Rapid7 finding, where Merge() called process.ExecDir directly and bypassed the safe git-module API the rest of Gogs had been hardened to use, is exactly the kind of code path that survives a previous wave of argument-injection fixes and re-emerges in a new advisory. Operators of any platform with comparable rebase-on-server functionality should treat this disclosure as a prompt to audit their own merge code paths. The broader developer-tooling response in 2026 — including npm's move to staged publishing with 2FA-gated release approval — has shifted in the direction of forcing a second control between a malicious actor and a production artifact, and self-hosted Git platforms are now the conspicuous laggard. No public reporting ties exploitation of this flaw to a named actor at disclosure; with a public Metasploit module and a known unpatched primitive, that situation should be expected to change quickly.

The CyberSignal Analysis

Signal 01 — Self-Hosted Does Not Equal More Secure

Two critical flaws in two self-hosted Git platforms in a single week is not a coincidence; it is the end of an argument. The defense of self-hosting a developer platform has long rested on a security premise — that owning the deployment, controlling the network, and keeping the artifacts off third-party SaaS is safer than trusting a vendor's cloud. The premise is not wrong, but it carries an obligation the Gogs disclosure makes uncomfortably explicit: the operator now owns every access decision, every default, and every patch SLA. The Gitea CVE-2026-27771 disclosure the previous day shipped a patched version on the day of the advisory; the Gogs disclosure ships with no patch and no maintainer response, only operator-side mitigations that depend on tightening defaults that ship wide-open. The read-across for security leaders is direct: any self-hosted developer platform should be inventoried, treated as Tier-1, and held to the same patch and incident-response standards as a production-facing system.

Signal 02 — 'Authenticated' Is the Wrong Frame for a Multi-Tenant Git Host

The single most common way this flaw will be misread is through the word 'authenticated.' On a typical access-control rubric, an authenticated bug is a tier below an unauthenticated one — it requires a credential, so the population that can exploit it is smaller, so the urgency is lower. That logic does not survive contact with a self-hosted Git platform. On a default-configured Gogs instance, the authentication barrier is a sign-up form; the practical population of exploiters is anyone on the internet. Even where registration is restricted, the authenticated population is every developer, contractor, and service account the organization has provisioned over the platform's lifetime — and a single one of them, compromised or malicious, is sufficient. The right way to triage the Gogs flaw is to treat 'authenticated' as functionally close to 'remote' for any internet-reachable instance with open registration on.

Signal 03 — The Patch Surface Is Now Bigger Than the Public Disclosures

The most uncomfortable detail in Rapid7's write-up is not the CVSS score; it is the table comparing this Merge() flaw to three earlier Gogs argument-injection CVEs (CVE-2024-39930, CVE-2024-39932, CVE-2024-39933) and a fourth this year (CVE-2026-26194). Each closed a different code path by adding -- or --end-of-options, or by migrating the call to the safe git-module library. Each fix made Gogs incrementally more resilient — and each one left this code path in place, because Merge() never migrated. The structural pattern: in a codebase where a class of bug has been fixed multiple times across multiple advisories, the unfixed instances are not necessarily the ones nobody noticed; they may be the ones missed during the previous round of hardening because they used a slightly different abstraction. The patch surface on self-hosted developer platforms is bigger than the public disclosure list — a lesson reinforced this year by the TeamPCP campaign that quietly exfiltrated 3,800 internal GitHub repositories through a single poisoned VS Code extension, where the path to the source code did not run through any of the advisories defenders were watching.

Sources