A critical RCE flaw in Gogs allows attackers to execute arbitrary code

29 May 2026

Security researchers have discovered a critical Remote Code Execution vulnerability in Gogs, an open-source program that lets anyone host their own source code repositories just like GitHub and GitLab but on a server controlled by them.

 

Through this blog, we will understand what the vulnerability is about, the threat posed by the vulnerability, and some of the security actions that organizations can take to prevent/mitigate the threats posed by the vulnerability.

About the vulnerability

Vendor + Component 

CVE identifier  

About 

Severity 

Gogs  

“Rebase before merging” repository setting 

 

Not assigned 

Gogs Git Hooks Remote Code Execution 

Critical 

What can attackers do with vulnerability?

Any user who can create a repository or has write access to a repository with rebase merging enabled can trigger the exploit without needing admin privileges.

 

Attackers can:

 

  • Cause full server compromise
  • Gain unauthorized access to all private repositories
  • Steal credentials
  • Laterally move across network

SharkStriker recommendations

  • Update the Gogs app.ini configuration file to limit exposure until a patch is released:
  • Stop new accounts: Set DISABLE_REGISTRATION = true.
  • Stop new repositories: Set MAX_CREATION_LIMIT = 0.
  • Audit Merge Settings: Review and disable the “Rebase before merging” feature globally or within existing repository settings where possible.
  • Network Isolation: Ensure your Gogs instance is placed behind a VPN or internal network and is not directly facing the public internet.

Get in Touch With us

We have explored what risk tolerance and risk appetite are and how important they are together in helping businesses align cybersecurity with their business goals. It can help CISOs, and C-suite make informed investment decisions for cybersecurity.

LEARN MORE