CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-qf6p-p7ww-cwr9: Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge

criticalCVSS 9.9CVE-2026-52806
Gogs: RCE via git rebase --exec Argument Injection in PR Merge Summary Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. Severity Critical - CVSS 3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) Affected Versions - Gogs 0.14.2 (latest supported release) - Gogs 0.15.0+dev (commit b53d3162, main branch as of 2026-03-16) - All prior versions that support the "Rebase before merging" merge style Impact This is a privilege escalation from authenticated user to server-level code execution. The attacker uses their own repository as the delivery mechanism - the target is not the repository but the Gogs server itself. On any multi-tenant Gogs instance (company, university, open source hosting), this gives one authenticated user full control of the underlying server: - Server compromise: Arbitrary command execution as the Gogs process user - Cross-tenant data breach: Read ALL repositories on the instance, including other users' private repos - Credential theft: Access the database containing password hashes, API tokens, SSH keys, and 2FA secrets for every user - Lateral movement: Pivot to other systems accessible from the server's network - Supply chain attacks: Silently modify any hosted repository's code. The Gogs process user (typically git) has direct filesystem-level read/write access to every repository on the instance under a single REPOSITORY_ROOT directory (default: ~/gogs-repositories). There is no OS-level isolation between repositories; all access control is application-layer only. The vulnerability affects all supported platforms (Linux, macOS, Windows) and installation methods (pre-built binary, Docker, source). On Docker installations, the Gogs process runs as the git user (UID 1000 by default). The severity is heightened because: - Open

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical — CVSS 9.9
Published
2026-06-23
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-qf6p-p7ww-cwr9

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-52806coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories