Critical Gogs RCE via malicious branch name in rebase

A critical vulnerability in Gogs allows any authenticated user to execute code on the server by creating a pull request with a crafted branch name that injects the –exec flag into git rebase when the “Rebase before merging” option is enabled. The issue was reported to the Gogs maintainer on March 17, 2026, and remains unassigned a CVE identifier.

The flaw leverages the git rebase operation, which replays commits from one branch onto another. Git rebase accepts an –exec argument that runs a shell command after each commit is applied. By passing a branch name designed to include the –exec argument, an attacker can cause the server to run arbitrary shell commands during a rebase.

The exploit does not require administrator privileges or interaction with other users on a default-configured instance. Rapid7 researcher Jonah Burgess reported that any registered user who creates a repository becomes its owner by default; enabling rebase merging is a single toggle in repository settings. An attacker can create an account, create a repository, enable rebase merging, open a pull request with the crafted branch name and trigger remote code execution. If repository creation is restricted, write access to a repository with rebase merging enabled is sufficient.

Successful exploitation can grant full control of the server. An attacker could read or modify every repository on the instance, extract stored credentials, move to other systems on the network and alter hosted code. Rapid7 notes the flaw can lead to cross-tenant breaches on shared servers, exposing private repositories of other users. The vulnerability affects Gogs on Windows, Linux and macOS.

Rapid7 assigned the issue a CVSS score of 9.4. Burgess provided a technical summary and wrote: “The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the –exec flag into git rebase during the ‘Rebase before merging’ merge operation.” The researcher reported the issue to the Gogs maintainer on March 17, 2026.

Rapid7 published a Metasploit module that automates the exploit chain for Linux and Windows targets. The module supports a mode that creates a temporary repository under the attacker’s account, runs the exploit and deletes the repository, leaving only an HTTP 500 error in server logs. A second mode targets an existing repository the attacker controls or can write to; that mode leaves more artifacts.

In the absence of a public patch, administrators are advised to take defensive steps. Rapid7 recommends disabling public user registration by setting DISABLE_REGISTRATION = true in app.ini, preventing repository creation by setting MAX_CREATION_LIMIT = 0, auditing repositories to ensure rebase merging is disabled where not required, reviewing server logs for unexpected HTTP 500 errors and monitoring repository and branch activity.

Gogs is an open-source, self-hosted Git service used by organizations and developers to host code on their own servers. The vulnerability involves server-side Git operations accepting input that can change command-line behavior. Administrators should apply the recommended configuration changes until an official fix is released.