CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 28, 2026

New Gogs 0-Day Vulnerability Lets Attackers Run Malicious Code on the Server Remotely

Cybersecurity News Archived May 28, 2026 ✓ Full text saved

A critical zero-day vulnerability has been discovered in Gogs, one of the most widely deployed self-hosted Git platforms in the world, allowing any authenticated user to execute arbitrary commands on the underlying server with no patch available at the time of publication. Rapid7 Labs researcher Jonah Burgess (CryptoCat) identified the flaw, tracked as a CWE-88 […] The post New Gogs 0-Day Vulnerability Lets Attackers Run Malicious Code on the Server Remotely appeared first on Cyber Security News

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security New Gogs 0-Day Vulnerability Lets Attackers Run Malicious Code on the Server Remotely By Guru Baran May 28, 2026 A critical zero-day vulnerability has been discovered in Gogs, one of the most widely deployed self-hosted Git platforms in the world, allowing any authenticated user to execute arbitrary commands on the underlying server with no patch available at the time of publication. Rapid7 Labs researcher Jonah Burgess (CryptoCat) identified the flaw, tracked as a CWE-88 argument injection vulnerability, and scored it CVSSv4 9.4 (Critical). The vulnerability resides in Gogs’ “Rebase before merging” merge operation and affects the latest stable release, Gogs 0.14.2, as well as the development build 0.15.0+dev (commit b53d3162). All prior versions supporting the rebase merge style are also likely vulnerable. Gogs 0-Day Vulnerability The exploit targets the Merge() function in internal/database/pull.go, which passes pull request base branch names directly to a git rebase command without a POSIX -- separator or proper argument sanitization. An attacker crafts a malicious branch name such as --exec=touch${IFS}/tmp/rce_proof and opens a pull request using that branch. When the rebase merge is triggered, Git’s argument parser interprets --exec as a flag rather than a branch name, causing Git to run the attacker-controlled command via sh -c after each replayed commit. The result is arbitrary command execution running as the Gogs server process user — typically git on both Docker and binary installations. What makes this especially dangerous is the low barrier to entry. Gogs ships with open user registration and unlimited repository creation enabled by default. This means an unauthenticated attacker can register an account, create a repository, enable rebase merging in settings, and launch the full exploit chain entirely within their own account, requiring no interaction from any other user and no administrative privileges, Jonah Burgess said. The practical consequences of a successful exploit are severe: Server compromise via arbitrary command execution as the Gogs process user Cross-tenant data breach — read every repository on the instance, including private repos from other users Credential theft — dump password hashes, API tokens, SSH keys, and 2FA secrets from the database Lateral movement to other systems reachable from the server’s network Supply chain attacks — silently modify any hosted repository’s code, bypassing audit logging Gogs has approximately 50,000 GitHub stars and over 5,000 forks, and a Shodan search at the time of publication revealed 1,141 internet-facing instances with the real install base far larger due to internal and VPN-protected deployments. A fully functional Metasploit module has been published, making exploitation trivial and automatable in seconds. Defenders should monitor Gogs server logs for ERROR-level entries containing patterns like git checkout '--exec=<...>': exit status 128. Administrators should also audit repository branch listings for names beginning with --, check user token lists at /-/user/settings/applications for unexpected msf_<hex> entries, and inspect PR histories on sensitive repositories. Mitigations No vendor patch exists. Until one is released, organizations should apply these mitigations immediately: Set DISABLE_REGISTRATION = true in app.ini to block untrusted account creation Set MAX_CREATION_LIMIT = 0 to prevent users from creating new repositories Audit all repositories for the “Rebase before merging” setting, especially on repos with external contributors Rapid7 first reported this vulnerability to Gogs maintainers on March 17, 2026. Despite multiple follow-ups through May 2026, no fix has been delivered. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub Quasar Linux RAT Targets Developers With Fileless Execution and eBPF Rootkit Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices Hackers Compromised 233 Versions of Laravel-Lang Packages by Hacking 700 GitHub Repos Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems Latest News Cyber Security News VaultJacking Attack Steals Entire Google Password Manager Vault With One Captured PIN Cyber Security News AI-Generated npm Malware Accidentally Exposes Threat Actor’s Private GitHub Token Cyber Security News Claude Opus 4.8 Released With Ability to Work as an Experienced Engineer Cyber Security Critical OpenVPN Connect for macOS Vulnerability Let Attackers Execute Arbitrary Commands Cyber Security News Hackers Deploy VIP Keylogger Through Phishing Emails Masquerading as Business Documents
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 28, 2026
    Archived
    May 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗