New Gogs zero-day flaw lets hackers get remote code execution

Recorded: May 28, 2026, 3 p.m.

Original

News

Featured
Latest

Glassworm botnet disrupted after resilient C2 infrastructure takedown

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

Windows 11 KB5089573 update released with performance improvements

Charter confirms data breach after ShinyHunters extortion threat

New Gogs zero-day flaw lets hackers get remote code execution

How SIEM helps MSPs reduce noise and stop threats faster

Romanian gets 5 years in prison for hacking Oregon govt network

Webinar: Why network incidents take too long to resolve

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityNew Gogs zero-day flaw lets hackers get remote code execution

New Gogs zero-day flaw lets hackers get remote code execution

By Sergiu Gatlan

May 28, 2026
10:25 AM
0

An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances.
Designed as an alternative to GitHub Enterprise or GitLab and written in Go, Gogs is often exposed online for remote collaboration.
This critical severity argument injection security flaw has yet to be assigned a CVE ID, affects the latest release versions (Gogs 0.14.2 and 0.15.0+dev), and can only be exploited by authenticated attackers without admin privileges.
However, even though it requires basic user privileges to exploit, Rapid7 senior security researcher Jonah Burges (who discovered the flaw) said the vulnerability affects all Gogs servers with default configurations.
"Since Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance," Burges warned on Thursday.
"Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user."
Successful exploitation allows attackers to execute arbitrary code remotely as the Gogs server process user via pull requests that use a malicious branch name to inject the "—exe"c flag into git rebase during the "Rebase before merging" merge operation.
They can abuse this security flaw "to compromise the server, read every repository on the instance (including other users' private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository's code."
Burges added that this vulnerability is similar to other argument injection flaws (e.g., CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930) addressed by Gogs in recent years, but affects a different code path (Merge()) that was never patched.
The researcher reported the security flaw to the Gogs maintainers on March 17, but they have yet to provide a patch or respond to further requests for a status update, despite acknowledging the report on March 28.
Internet security watchdog Shadowserver now tracks over 2,400 Gogs servers exposed online, most of them in Asia (1,894) and Europe (319), while Shodan found just over 1,000 IP addresses with a Gogs fingerprint.

Gogs servers exposed online (ShadowServer)
In early December, the Gogs security team patched another Gogs RCE vulnerability (CVE-2025-8110) that was exploited in zero-day attacks to compromise hundreds of servers.
"Many of these instances are configured with 'Open Registration' enabled by default, creating a massive attack surface," Wiz security researchers (who reported the flaw) said at the time.
Wiz Research discovered CVE-2025-8110 while investigating a compromised Internet-facing Gogs server in July and reported the flaw to Gogs maintainers on July 17. They acknowledged Wiz's report three months later, on October 30, and released CVE-2025-8110 patches in early January.
On January 12, CISA confirmed Wiz's report that the CVE-2025-8110 was under active exploitation and added the security flaw to its catalog of vulnerabilities exploited in the wild, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their servers by February 2.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned at the time.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate.
Download Now

Related Articles:
CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacksMax-severity flaw in ChromaDB for AI apps allows server hijackingKnowledgeDeliver flaw exploited as a zero-day to install web shells18-year-old NGINX vulnerability allows DoS, potential RCENew critical Exim mailer flaw allows remote code execution

Argument Injection
Gogs
RCE
Remote Code Execution
Vulnerability
Zero-Day

Sergiu Gatlan
Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Popular Stories

FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

Microsoft Defender can now automatically isolate hacked endpoints

Charter confirms data breach after ShinyHunters extortion threat

Sponsor Posts

Overdue a password health-check? Audit your Active Directory for free

AI is a data-breach time bomb: Read the new report

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

Protect Your Business from Ecommerce Fraud

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

An unpatched zero-day vulnerability exists in the Gogs self-hosted Git service that permits attackers to achieve remote code execution (RCE) on internet-facing instances. This critical argument injection security flaw affects the latest release versions of Gogs, specifically Gogs 0.14.2 and 0.15.0+dev, and has yet to be assigned a formal CVE identifier. Although exploitation requires authenticated access without administrative privileges, the vulnerability is critical because the researcher Jonah Burges indicated that due to default configurations—specifically, open registration and no limit on repository creation—an unauthenticated attacker can gain initial access by simply creating an account and repository on any default-configured Gogs instance.

The method for exploitation involves leveraging this flaw within the Gogs code path related to the Merge() operation. By manipulating pull requests with a malicious branch name, attackers can inject the control character '—exe'c into the git rebase command during the merge operation. A successful exploit allows the attacker to execute arbitrary code remotely as the user context of the Gogs server process. This level of access grants extensive control over the compromised server, enabling attackers to compromise the system, read every repository hosted on the instance, exfiltrate sensitive credentials such as password hashes, API tokens, SSH keys, and two-factor authentication secrets, pivot to other accessible network systems, and modify the code within any hosted repository.

This vulnerability is analogous to other argument injection flaws previously addressed by Gogs, such as CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930, though it targets a distinct code path within the Merge() function that remains unpatched. The researcher reported this flaw to the Gogs maintainers on March 17, but no patch or response has been provided, despite acknowledgement on March 28. The extent of exposure is significant; security tracking by Shadowserver currently monitors over 2,400 Gogs servers exposed online, primarily located in Asia and Europe.

Contextually, the security landscape surrounding Gogs has involved previous high-severity incidents. In early December, the Gogs security team addressed another vulnerability, CVE-2025-8110, which was exploited in zero-day attacks to compromise hundreds of servers. This attention was prompted when Wiz security researchers discovered CVE-2025-8110 in July and reported it to Gogs, leading to patches being released in early January, with CISA confirming the active exploitation of that flaw and urging federal agencies to secure their servers. This history underscores the persistent risk associated with unpatched vulnerabilities in widely deployed systems and the necessity for rigorous security validation across various attack surfaces.