For ten days after Rapid7 published full technical details of a critical argument injection vulnerability in the Gogs self-hosted Git service, more than 2,300 internet-exposed Gogs servers had no patch available — only a public Metasploit module that automated the exploitation process. That changed when Gogs released version 0.14.3.
Argument Injection in Gogs Merge Code Path Achieves RCE via Crafted Branch Name
The vulnerability exists in Gogs’ “Rebase before merging” pull request operation. When a pull request is merged using that option, Gogs executes a server-side git rebase command. An attacker who can create a repository and craft a branch name as a specially formed string can inject the --exec flag into that command — causing the Gogs server to execute arbitrary system commands as the Gogs process user. The attack operates entirely within the attacker’s own repository; access to any other user’s code is not required.
The bug was discovered by Jonah Burgess (CryptoCat), a senior security researcher at Rapid7, reported to Gogs maintainers on March 17, 2026, and publicly disclosed on May 28, 2026, after maintainers acknowledged the report but did not produce a fix through multiple follow-up contacts over approximately 82 days. Rapid7 published a full technical disclosure on May 28 after the disclosure deadline passed. A working Metasploit module became publicly available shortly after, giving any researcher or attacker with framework access an automated exploitation path against all vulnerable Gogs instances reachable from the internet.
Attack Chain: Account Creation, Malicious Branch Name, and the –exec Flag Injection
The attack path is straightforward on any default-configured Gogs instance. Gogs ships with open registration enabled by default, meaning any internet-reachable instance can be exploited by someone with no prior access to that server. An attacker creates a free account, creates a repository, pushes a branch whose name contains the injected --exec payload string, then initiates a pull request merge using the “Rebase before merging” option. At that point, the Gogs server executes arbitrary commands specified by the attacker with the server process user’s privileges. The entire chain requires only network access and a few minutes.
2,300 Internet-Exposed Gogs Servers Faced a 10-Day Window with a Public Metasploit Module
Shadowserver Foundation tracked over 2,300 internet-facing Gogs servers globally during the disclosure period. All were vulnerable from May 28, when Rapid7’s technical disclosure and the Metasploit module became available, through June 7, when Gogs released version 0.14.3. That ten-day window represents the period during which any of those servers could have been exploited by anyone who downloaded the Metasploit framework — no specialized capability required. Successful exploitation enables server compromise, access to all hosted repositories including private ones, credential theft from stored configurations, lateral movement, and source code modification — a chain that, in a CI/CD-integrated Gogs environment, could reach production systems through an organization’s own build pipeline.
Gogs 0.14.3 Closes the Flaw; Prior Rapid7 CVEs Suggest Systemic Argument Injection Risk
The patch is available in Gogs version 0.14.3, released June 7, 2026. Organizations running any version through 0.14.2 or development builds at 0.15.0+dev should update immediately and review server access logs from May 28 onward for exploitation indicators.
Rapid7’s History of Gogs Argument Injection CVEs Points to a Recurring Code-Level Pattern
This is not the first argument injection flaw Rapid7 has documented in the Gogs codebase. Prior vulnerabilities — CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930 — affected different code paths in the same general category: user-controlled input reaching shell command execution contexts without sufficient sanitization. Each fix addressed the specific code path identified at the time but left related paths unpatched until researchers located them in subsequent investigations. The June 7 patch addresses the Merge() code path. Whether analogous patterns persist in other Gogs operations that invoke shell commands remains a question the project’s maintainers and the research community will need to work through, given that the same class of flaw has appeared across at least five separate discovery cycles.
The broader context for Gogs administrators: the project’s small volunteer maintenance team contributed to an 82-day gap between the March 17 report and the June 7 patch — close to but within the industry-standard 90-day coordinated disclosure timeline. Organizations running self-hosted Gogs instances should treat the recurring argument injection pattern as a signal to evaluate compensating controls, including network-level access restrictions on Gogs instances and monitoring for unusual shell process activity originating from the Gogs server process.
