A critical RCE flaw in Gogs allows attackers to execute arbitrary code
29 May 2026
Security researchers have discovered a critical Remote Code Execution vulnerability in Gogs, an open-source program that lets anyone host their own source code repositories just like GitHub and GitLab but on a server controlled by them.
Through this blog, we will understand what the vulnerability is about, the threat posed by the vulnerability, and some of the security actions that organizations can take to prevent/mitigate the threats posed by the vulnerability.
About the vulnerability
|
Vendor + Component |
CVE identifier |
About |
Severity |
|
Gogs “Rebase before merging” repository setting
|
Not assigned |
Gogs Git Hooks Remote Code Execution |
Critical |
What can attackers do with vulnerability?
Any user who can create a repository or has write access to a repository with rebase merging enabled can trigger the exploit without needing admin privileges.
Attackers can:
- Cause full server compromise
- Gain unauthorized access to all private repositories
- Steal credentials
- Laterally move across network
SharkStriker recommendations
- Update the Gogs app.ini configuration file to limit exposure until a patch is released:
- Stop new accounts: Set DISABLE_REGISTRATION = true.
- Stop new repositories: Set MAX_CREATION_LIMIT = 0.
- Audit Merge Settings: Review and disable the “Rebase before merging” feature globally or within existing repository settings where possible.
- Network Isolation: Ensure your Gogs instance is placed behind a VPN or internal network and is not directly facing the public internet.