vulnerability
Gogs: gogs-git-rebase-argument-injection: Authenticated Remote Code Execution via Git Rebase Argument Injection
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | May 28, 2026 | May 28, 2026 | May 28, 2026 |
Description
A critical argument injection vulnerability (CWE-88) exists in Gogs within the Pull Request Merge() functionality. The application passes a PR's base branch name directly to 'git rebase' via raw process execution without using an end-of-options delimiter (--). An authenticated attacker with write or merge access can create and push a malicious branch name containing the '--exec' flag (e.g., '--exec=payload') to execute arbitrary shell commands as the host environment's Gogs server process user.
Because default configurations allow open user registration and unrestricted repository creation, unauthenticated external attackers can leverage this pipeline to register an account and achieve full server compromise completely autonomously.
Affected Versions: Gogs versions 0.14.2, 0.15.0+dev (up to commit b53d3162), and all prior versions supporting the 'Rebase before merging' feature.
Required Configuration: 'Rebase before merging' style must be enabled on a repository where the attacker possesses write/merge privileges.
Solution
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.