← BACK TO FEED
GogsRCEvulnerabilityopen source securityunpatched

Unpatched RCE Flaw in Gogs Has a Metasploit Module and Zero Response From Maintainers

A critical remote code execution vulnerability (CVSS 9.4) has been discovered in Gogs, a popular open-source self-hosted Git service, allowing any authenticated user to fully compromise servers, steal credentials, or tamper with code repositories. Rapid7 researcher Jonah Burgess reported the flaw to Gogs maintainers in March 2026, but despite initial acknowledgement, they have not responded since and no patch exists, while a public Metasploit exploit module has now been released. Users are advised to disable open registration, restrict repository creation, and turn off the "Rebase before merging" setting as interim mitigations until an official fix is available.

A critical remote code execution vulnerability in Gogs, the self-hosted Git service used widely across the open-source community, has been sitting unpatched for over two months. Any authenticated user on a default installation can exploit it. No elevated privileges needed.

Rapid7 researcher Jonah Burgess discovered the flaw and reported it through GitHub's security advisory process on March 17. The Gogs maintainers acknowledged the report on March 28 and then went completely silent. No status updates. No response to requests for an extension. Nothing.

The bug scores 9.4 on the CVSS scale and affects every supported platform: Windows, Linux, and macOS, regardless of how the software was installed.

The technical root of the problem sits in the pull request merge flow, specifically in how the Merge() function inside internal/database/pull.go handles branch names. When a repository has "Rebase before merging" enabled, the base branch name from a pull request gets fed directly to a git rebase command. There's no -- separator to tell Git where options end and arguments begin, and input sanitisation is essentially absent.

The result is textbook argument injection. An attacker creates a branch with a name like --exec=touch${IFS}/tmp/rce_proof and Git happily interprets it as an --exec flag rather than a branch name, executing whatever payload is attached. Burgess has also built a Metasploit module that handles the cross-platform differences automatically.

With a working exploit module now public and no patch in sight, the window before active exploitation starts is probably short.

Burgess has submitted a pull request with a suggested fix, currently awaiting review. Neither the Gogs maintainers nor DigitalOcean, which sponsors the project, have responded to press inquiries about when a patch might arrive.

In the meantime, there are partial mitigations. Disabling open registration (DISABLE_REGISTRATION = true in app.ini) is the most effective step, cutting off untrusted users entirely. Setting MAX_CREATION_LIMIT = 0 blocks the simplest attack path, but anyone with write access to an existing repository can still exploit the flaw. Disabling "Rebase before merging" in repository settings helps too, though repository owners and admins can simply re-enable it, and there is no global or organisation-level control to prevent that.

None of these are substitutes for an actual fix. If you're running Gogs, pay attention.