Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: self-hosted-git (1 article)Clear

Gogs unpatched zero-day argument-injection RCE affects all default-configured instances; open registration plus rebase-merge toggle is the chain

Rapid7's Jonah Burgess has disclosed an unpatched argument-injection RCE in Gogs, the self-hosted Git service often used as a GitLab/GitHub Enterprise alternative. The flaw affects Gogs 0.14.2 and 0.15.0+dev and requires authentication, but Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no repository creation limits, so any internet-facing default-configured instance is effectively unauthenticated-exploitable: an attacker creates an account and repo, enables rebase merging in settings, and the entire exploit chain runs without third-party interaction. Code execution lands as the Gogs server-process user. No CVE has been assigned and no patch is available; mitigations involve disabling open registration.

Check
Inventory Gogs and Forgejo instances. Check whether DISABLE_REGISTRATION is true and MAX_CREATION_LIMIT is positive. Audit recently-created accounts and repositories on default-configured instances.
Affected
Gogs 0.14.2 and 0.15.0+dev. Any instance with default config (open registration, no creation limit) is effectively unauthenticated. No CVE assigned, no patch available yet.
Fix
Disable open registration (DISABLE_REGISTRATION = true) and set strict MAX_CREATION_LIMIT. Restrict instances to authenticated VPN access. Monitor for unexpected new accounts and rebase-merge toggle changes.