A newly disclosed zero-day in Gogs can let attackers execute arbitrary code on vulnerable servers. Gogs is a self-hosted Git service, and according to Rapid7 research published on May 28, 2026, it affects the platform’s ‘Rebase before merging’ workflow. It works by injecting the –exec flag into git rebases, which turns a malicious branch name into a command execution path.
The vulnerability was primarily discovered and validated on March 16, 2026. Rapid7 rated the bug 9.4 on the CVSS scale and said it does not yet have a CVE identifier. The bug affects Gogs 0.14.2 and 0.15.0+dev, and no vendor patch was available at publication time of Rapid7’s research.
How Does the New Gogs Zero-Day Vulnerability Work?
The issue allows any authenticated user to achieve remote code execution by creating a pull request with a malicious branch name that injects the –exec flag into git rebase. Since git rebase supports the –exec option, the attacker-controlled value can be treated as a command instead of a branch reference during the merge process.
As experts find, successful exploitation could expose private repositories, steal credentials, and let attackers move deeper into connected systems.
What Dangers does the Vulnerability Impose?
According to Rapid7, once an attacker has access to a suitable repository, no admin privileges or interaction with other users are required. The risk is especially serious on default-configured deployments.
Gogs ships with open registration enabled by default and no limit on repository creation. This indicates that an unauthenticated attacker can create an account, open a repository, and then trigger the exploit chain without help from other users.
Reportedly, the vulnerability exposed more than 2,400 Gogs servers online, mainly across Asia and Europe. Alongside that, it has exposed over 1,000 IP addresses with a Gogs fingerprint. The flaw is majorly affecting inter-facing installations that attackers could reach.
Has Gogs Released a Patch for the Zero-Day Flaw?
Rapid7 reflects in the published research on the zero-day vulnerability that Gogs had not released a patch yet. The issue remained unfixed by late May, even after Gogs maintainers were notified about the flaw on March 17, 2026.
The flaw arrived after CISA already added a separate Gogs vulnerability, CVE-2025-8110, to its Known Exploited Vulnerabilities catalog earlier this year. Such incidents show that Gogs has been a repeated target for real-world exploitation.
What Should Security Teams Do?
Security teams must disable open registration and restrict repository creation until a fix is released. Furthermore, they must review whether ‘Rebase before merging’ is enabled and check the logs for suspicious pull request activity or branch names.
The exploit can be automated and may leave behind an HTTP 500 error and a corrupted repository state after execution. So, staying alert and adopting precautionary measures will help keep servers safe.
HiTechNectar is a leading publisher of the latest tech and cybersecurity advancements. Check out our timely news stories to stay aligned.
Recommended For You:
Virtualization Security Best Practices: Secure Hypervisors, VMs, and Virtual Networks
