Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: argument-injection (2 articles)Clear

Gogs patches critical RCE zero-day exposing private repos and credentials

Gogs, a popular self-hosted Git service, has finally patched a critical zero-day that Rapid7 disclosed in late May when no fix existed. The flaw (CVSS 9.4, no CVE assigned yet) lets a logged-in user with no admin rights run commands on the server by opening a pull request whose branch name secretly injects an exec option into a git rebase. Because Gogs ships with open registration on by default, an attacker can simply create an account to reach it. Successful exploitation means full server takeover: reading every private repository, dumping password hashes, API tokens, SSH keys, and 2FA secrets, and tampering with hosted source code.

Check
Identify internet-facing Gogs instances and their version, check whether open registration is enabled, and review logs for unexpected pull requests with unusual branch names or new low-privilege accounts.
Affected
Self-hosted Gogs servers up to and including 0.14.2 and 0.15.0+dev, especially those with the default open registration and unlimited repository creation enabled.
Fix
Upgrade to the patched Gogs release immediately. As interim mitigation, disable open registration and restrict repository creation, and rotate any credentials or tokens stored on the server.

Gogs unpatched zero-day argument-injection RCE affects all default-configured instances; open registration plus rebase-merge toggle is the chain

Rapid7's Jonah Burgess has disclosed an unpatched argument-injection RCE in Gogs, the self-hosted Git service often used as a GitLab/GitHub Enterprise alternative. The flaw affects Gogs 0.14.2 and 0.15.0+dev and requires authentication, but Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no repository creation limits, so any internet-facing default-configured instance is effectively unauthenticated-exploitable: an attacker creates an account and repo, enables rebase merging in settings, and the entire exploit chain runs without third-party interaction. Code execution lands as the Gogs server-process user. No CVE has been assigned and no patch is available; mitigations involve disabling open registration.

Check
Inventory Gogs and Forgejo instances. Check whether DISABLE_REGISTRATION is true and MAX_CREATION_LIMIT is positive. Audit recently-created accounts and repositories on default-configured instances.
Affected
Gogs 0.14.2 and 0.15.0+dev. Any instance with default config (open registration, no creation limit) is effectively unauthenticated. No CVE assigned, no patch available yet.
Fix
Disable open registration (DISABLE_REGISTRATION = true) and set strict MAX_CREATION_LIMIT. Restrict instances to authenticated VPN access. Monitor for unexpected new accounts and rebase-merge toggle changes.