Gogs RCE Zero-Day: Check Open Registration

Stephanie Adlam
Stephanie Adlam
5 Min Read
Gogs RCE warning poster with self-hosted Git server and open-registration check
Gogs RCE warning poster showing a self-hosted Git server and open-registration risk.

Rapid7 has disclosed a critical, still-unpatched remote code execution flaw in Gogs, the self-hosted Git service. The issue matters most for public or semi-public Gogs instances because the attack only needs an authenticated account, and default-style deployments may let outsiders create that account themselves.

The flaw is an argument-injection bug in the Rebase before merging pull-request path. Rapid7 says a malicious branch name can make the server pass an unsafe option into git rebase, leading to command execution as the Gogs server process user. The practical response is not to copy exploit details, but to reduce account and repository exposure until a vendor patch exists.

Who should act now

Administrators should review any Gogs instance that is reachable from the internet, shared by multiple users, used by contractors, or connected to CI/CD, build, package, or deployment systems. A compromise of the Gogs process can expose private repositories, tokens, SSH keys, password hashes, and code that later ships into production.

Check Why it matters Immediate action
Open registration Turns an authenticated bug into a low-barrier external attack path. Set DISABLE_REGISTRATION = true unless public sign-up is required.
Repository creation Rapid7 describes a self-contained path through an attacker-owned repository. Restrict repository creation or set per-user limits for untrusted accounts.
Rebase merge option The vulnerable path is tied to Rebase before merging. Audit repositories where write users can enable or use rebase merging.
Server artifacts Successful RCE may leave unexpected files, changed repository contents, or new credentials. Review Gogs logs, repository directories, recent account creation, tokens, SSH keys, and CI secrets.

What to check first

Start with the configuration file that controls authentication and repository limits. Gogs documents that runtime overrides normally live in custom/conf/app.ini or another configured app.ini path. Confirm that registration is not open to the public, then check whether ordinary users can create repositories without review.

Next, look for newly created users, repositories, pull requests, branch names that look like command-line options, unexplained 500 errors around merge operations, and repository directories with unexpected files. If the Gogs host is connected to CI runners or deployment automation, rotate tokens and SSH keys that were accessible from that host.

This is also a good moment to compare the exposure with other developer-infrastructure risks. We recently covered Megalodon abuse of GitHub Actions and TrapDoor package attacks against AI coding configs; the common theme is that repository access quickly becomes a supply-chain problem. If a Gogs host may have run unknown binaries, isolate it first and use a trusted endpoint scanner such as Gridinsoft Anti-Malware on affected workstations rather than trusting files copied from the server.

What to do while waiting for a patch

  1. Restrict public registration and repository creation on Gogs instances.
  2. Audit repositories where Rebase before merging is enabled or can be enabled by write users.
  3. Review recent accounts, repositories, pull requests, failed merges, and server-side repository files.
  4. Rotate tokens, SSH keys, webhook secrets, and CI/CD credentials stored on or reachable from the Gogs server.
  5. Watch the Gogs project and Rapid7 advisory for a fixed version before re-opening broader access.

Open registration is not the only import-related RCE risk for developer tools. Self-hosted AI teams should also check Flowise CVE-2026-40933, where an untrusted chatflow can reach server-side command execution through Custom MCP.

FAQ

Is there a patch for the Gogs RCE flaw?

Rapid7 reported on May 28, 2026 that no vendor patch was available at publication time. Administrators should treat registration and repository-creation restrictions as temporary risk reduction, not a final fix.

Does the attacker need admin privileges?

No. Rapid7 describes the vulnerable path as reachable by an authenticated user without admin privileges. Default-style open registration can make account creation the first step of the attack.

Are private repositories at risk?

Yes. If command execution happens as the Gogs process user, repository data stored under that process can be exposed or modified, including private repositories and credentials available to the service.

References

  1. Jonah Burgess, Rapid7 Labs. “Authenticated RCE via Argument Injection in Gogs (NOT FIXED).” Rapid7, published and updated May 28, 2026; accessed May 28, 2026. https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/
  2. Gogs project. “Configuration primer.” Gogs documentation, accessed May 28, 2026. https://gogs.io/fine-tuning/configuration-primer
Ransomware Attacks in 2023: What to Expect?
RubyGems Pauses Signups After Malicious Package Attack
Privacy Access Tokens to Replace CAPTCHA Real Soon
Supply Chain Attack Leads to 3CX Hack and Other Supply Chain Attacks
Windows 7 Extended Security Update Program cancelled
TAGGED:
Share This Article
ByStephanie Adlam
Follow:
Stephanie is our wordsmith, transforming technical research into engaging content that resonates with users. Her expertise in cybercrime prevention and online safety ensures that Gridinsoft's advice is accessible to everyone—whether they’re tech-savvy or not.
Previous Article Tin.exe safety check illustration showing an EXE file inspected with a magnifying glass. Tin.exe: Safety Check and Malware Removal Guide
Next Article Kiicvoq Apps PUA cleanup illustration showing an unwanted app and browser extension removed Kiicvoq Apps Removal Guide

AI Assistant

Hello! 👋 How can I help you today?