HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Zero‑Day Remote Code Execution Flaw in Gogs Self‑Hosted Git Service Exposes Thousands of Repositories

A critical zero‑day argument‑injection bug in Gogs (versions 0.14.2 and 0.15.0+dev) lets unauthenticated attackers create accounts, trigger RCE via pull‑request rebase, and steal source code and credentials. The flaw affects default‑configured instances worldwide, creating a high‑impact supply‑chain risk for third‑party risk managers.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
5 recommended
📰
Source
bleepingcomputer.com

Zero‑Day Remote Code Execution Flaw in Gogs Self‑Hosted Git Service Threatens Thousands of Repositories

What Happened — An unauthenticated attacker can create an account on default‑configured Gogs instances, then exploit an argument‑injection bug in the merge‑rebase code path to achieve remote code execution as the Gogs process user. The flaw affects Gogs 0.14.2 and 0.15.0+dev and has not yet been assigned a CVE.

Why It Matters for TPRM

  • Compromise of source‑code repositories can inject malicious code into downstream products, creating a supply‑chain risk.
  • Credential leakage (password hashes, API tokens, SSH keys, 2FA secrets) enables lateral movement into other vendor environments.
  • The vulnerability is present in default deployments, meaning many third‑party services may be exposed without realizing it.

Who Is Affected — Organizations that host or consume self‑hosted Git services (software development firms, fintech, health‑tech, and any enterprise that runs Gogs for internal or partner collaboration).

Recommended Actions

  • Inventory all Gogs instances and verify whether open registration is enabled.
  • Disable open registration or enforce strong authentication (MFA, SSO).
  • Apply any interim mitigations (disable rebase‑before‑merge, restrict repository creation limits).
  • Monitor pull‑request activity for suspicious branch names and unexpected rebase operations.
  • Prioritize patch deployment once an official fix is released.

Technical Notes — The exploit leverages an argument‑injection flaw in the Merge() function, allowing a malicious branch name to inject the --exec flag into git rebase. Successful exploitation yields arbitrary code execution, repository read‑out, credential dumping, and network pivoting. No CVE ID assigned yet; the issue is classified as critical severity. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-gogs-zero-day-flaw-lets-hackers-get-remote-code-execution/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →