GHSA-qf6p-p7ww-cwr9: Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
Gogs: RCE via git rebase --exec Argument Injection in PR Merge
Summary
Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation.
Severity
Critical - CVSS 3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Versions
- Gogs 0.14.2 (latest supported release)
- Gogs 0.15.0+dev (commit b53d3162, main branch as of 2026-03-16)
- All prior versions that support the "Rebase before merging" merge style
Impact
This is a privilege escalation from authenticated user to server-level code execution. The attacker uses their own repository as the delivery mechanism - the target is not the repository but the Gogs server itself. On any multi-tenant Gogs instance (company, university, open source hosting), this gives one authenticated user full control of the underlying server:
- Server compromise: Arbitrary command execution as the Gogs process user
- Cross-tenant data breach: Read ALL repositories on the instance, including other users' private repos
- Credential theft: Access the database containing password hashes, API tokens, SSH keys, and 2FA secrets for every user
- Lateral movement: Pivot to other systems accessible from the server's network
- Supply chain attacks: Silently modify any hosted repository's code. The Gogs process user (typically git) has direct filesystem-level read/write access to every repository on the instance under a single REPOSITORY_ROOT directory (default: ~/gogs-repositories). There is no OS-level isolation between repositories; all access control is application-layer only.
The vulnerability affects all supported platforms (Linux, macOS, Windows) and installation methods (pre-built binary, Docker, source). On Docker installations, the Gogs process runs as the git user (UID 1000 by default).
The severity is heightened because:
- Open
Details
Original advisory: https://github.com/advisories/GHSA-qf6p-p7ww-cwr9
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Moderate exploitation riskCVE-2026-528061.0% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 60% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-52806 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10