A CVSSv4 (Common Vulnerability Scoring System version 4) 9.4 Critical remote code execution (RCE — the ability for a remote attacker to run arbitrary commands on a server) vulnerability has been publicly disclosed in Gogs, a popular open-source self-hosted Git service written in Go, with no patch available 74 days after responsible disclosure. The vulnerability, tracked as GHSA-qf6p-p7ww-cwr9 (a GitHub Security Advisory identifier — no CVE has been assigned by the time of publication), allows any authenticated Gogs user to execute arbitrary shell commands on the underlying server by crafting a malicious pull request branch name. A public Metasploit module — Metasploit being an industry-standard open-source exploitation framework — has been released, enabling automated exploitation by anyone with basic technical skills. Shodan identifies at least 1,141 internet-facing Gogs instances.
// 01 Gogs RCE: Technical Details
Rapid7 Labs discovered and disclosed the vulnerability on March 17, 2026. The CVSS v4.0 vector is AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H — confirming it is network-exploitable, low-complexity, requires only low privileges (a basic authenticated user account), and impacts confidentiality, integrity, and availability of both the vulnerable server and systems it can reach.
The root cause is argument injection (CWE-88 — a class of vulnerability where user-supplied data is treated as command-line arguments rather than plain data). Specifically, the Merge() function in Gogs' internal/database/pull.go passes a pull request's base branch name directly to git rebase without using a -- separator. In git, a -- before positional arguments tells the tool to stop interpreting subsequent tokens as flags. Without it, a branch name beginning with -- is parsed as a git option rather than a branch identifier.
An attacker creates a branch with a name such as --exec=touch${IFS}/tmp/rce_proof, then opens a pull request using that branch as the base. When the "Rebase before merging" merge operation is triggered, the Gogs process executes:
git rebase --exec=touch${IFS}/tmp/rce_proof HEAD
This passes the --exec flag to git rebase, causing git to execute the embedded shell command after each rebased commit. The command runs as the OS user account under which the Gogs process operates — typically git or gogs — which on many deployments has broad filesystem and network access.
Since Gogs ships with open registration enabled by default and no limit on repository creation, an attacker on a public-facing instance can create a free account, set up a repository, and trigger the exploit entirely within their own account — with no interaction required from any other user or administrator.
// 02 Exploitation Status and Threat Landscape
A Metasploit module for GHSA-qf6p-p7ww-cwr9 has been released and is included in the Rapid7 Metasploit Wrap Up for May 29, 2026. The module automates the entire exploitation chain, reducing the skill threshold for attackers to near zero.
No CVE number has been assigned as of publication. The GitHub Security Advisory tracking ID GHSA-qf6p-p7ww-cwr9 is the primary reference for this vulnerability.
The vulnerability has no CISA KEV listing, which is typical for unpatched open-source tools where no federal mandate exists. However, the Gogs RCE risk is significant for any enterprise or developer environment that has deployed Gogs for internal source code management. Source code repositories contain credentials, API keys, infrastructure-as-code, and intellectual property that are high-value targets for ransomware operators and espionage actors.
// 03 Who Is Affected
Affected versions: Gogs 0.14.2 and Gogs 0.15.0+dev (confirmed at commit b53d3162). All prior versions that support the "Rebase before merging" merge strategy are likely affected. There is no fixed version.
A Shodan search — Shodan being an internet-wide scanner that indexes publicly accessible services — identifies 1,141 internet-facing Gogs instances. The actual number of deployments is substantially higher, as most enterprise and developer Gogs instances sit behind VPNs or internal firewalls and are not indexed.
Any organization that:
- Runs Gogs for internal source code management
- Has open user registration enabled (the Gogs default)
- Allows untrusted users or external contributors to open pull requests
…should treat this as an actively exploitable critical vulnerability requiring immediate mitigation.
Gitea — a popular community fork of Gogs — is not affected. Organizations that have migrated from Gogs to Gitea are not exposed to this vulnerability.
// 04 What You Should Do Right Now
- Determine whether you run Gogs. Check for Gogs processes (
ps aux | grep gogs) and its default data directory (/home/git/gogs-repositoriesor/opt/gogs). Distinguish from Gitea, which has the same heritage but different codepaths. - Disable open registration immediately. In
app.ini, setDISABLE_REGISTRATION = trueunder[service]. This raises the bar for exploitation from "any internet user" to "already-authenticated user" — significant mitigation while a fix is unavailable. - Restrict pull request creation to trusted users. If your use case permits, set repositories to private and limit contributors to trusted internal accounts.
- Monitor server logs for exploitation artifacts. Watch for the error pattern:
- Scan for post-exploitation IOCs. Look for API tokens with names matching
msf_[hex](a Metasploit naming convention) in Gogs user settings, and for unexpected branches with names beginning with--exec. - Consider migrating to Gitea. Gitea is a maintained community fork of Gogs with an active security response process and is not affected by this vulnerability. Rapid7 recommends migration over waiting for a Gogs patch given the maintainer's non-responsiveness.
“bash grep -r "git checkout '--exec=" /path/to/gogs/log/ ` And look for unexpected files or network connections originating from the gogs` process user.
// 05 Background: Understanding the Risk
Gogs was originally created in 2014 as a lightweight alternative to self-hosted GitLab or GitHub Enterprise. At its peak it was one of the most popular self-hosted Git services for small teams and individual developers, valued for its minimal resource requirements. However, the project's maintenance activity has declined significantly in recent years, with infrequent releases and slow security response times.
This is not the first argument injection vulnerability in Gogs. CVE-2024-39932 (argument injection during change preview), CVE-2024-39930 (argument injection in the built-in SSH server), and a similar tagging vulnerability were all disclosed in 2024. This pattern indicates a structural problem: the Gogs codebase passes user-controlled strings to git subprocess calls without sanitization across multiple code paths, and the maintainer has not implemented a systematic fix.
Argument injection vulnerabilities against git tooling are particularly severe in self-hosted source code management because the git process often runs with elevated access to repository data, SSH keys, and deployment credentials. Attackers who compromise a Gogs server can pivot to any system that trusts the repository: CI/CD pipelines, production deployment targets, and secrets management systems.
The Rapid7 disclosure timeline shows the vendor acknowledged the report on March 28, 2026, but provided no further response despite follow-up communications in April and May. After 74 days with no patch forthcoming, Rapid7 published the full details alongside a working Metasploit module.
// 06 Conclusion
The Gogs Gogs RCE vulnerability tracked as GHSA-qf6p-p7ww-cwr9 has CVSSv4 9.4 Critical severity, no vendor patch after 74 days, and a public Metasploit exploit module. Any organization running internet-accessible Gogs should disable open registration immediately and begin planning migration to Gitea. Source code repositories that contain credentials, infrastructure code, and deployment keys are high-value targets — treat this as a critical incident response priority rather than a future-sprint ticket.
For any query contact us at contact@cipherssecurity.com