{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/gogs/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Gogs 0.14.2","Gogs 0.15.0+dev","Gogs (All prior versions)"],"_cs_severities":["critical"],"_cs_tags":["rce","gogs","git","code-repository","vulnerability","argument-injection","server-side-request-forgery"],"_cs_type":"advisory","_cs_vendors":["Gogs"],"content_html":"\u003cp\u003eA critical Remote Code Execution (RCE) vulnerability, identified as GHSA-qf6p-p7ww-cwr9, affects Gogs, the self-hosted Git service, specifically versions 0.14.2, 0.15.0+dev (prior to commit \u003ccode\u003eb53d3162\u003c/code\u003e), and all prior versions supporting \u0026quot;Rebase before merging\u0026quot; merge styles. This vulnerability allows any authenticated user to achieve RCE on the underlying server by crafting a malicious branch name that injects the \u003ccode\u003e--exec\u003c/code\u003e flag into the \u003ccode\u003egit rebase\u003c/code\u003e command during a pull request merge. The exploit results in privilege escalation from a regular user to server-level code execution, enabling full compromise, cross-tenant data breaches, and supply chain attacks. The severity is heightened by Gogs's default open registration (\u003ccode\u003eDISABLE_REGISTRATION = false\u003c/code\u003e) and the fact that any user can create a repository and enable the \u0026quot;Rebase before merging\u0026quot; option without administrator intervention, effectively making the vulnerability exploitable with minimal prerequisites and leaving minimal traces in logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker obtains an authenticated account on the Gogs instance, either through open registration or by compromising existing credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRepository Setup\u003c/strong\u003e: The attacker creates their own repository (or gains write access to one where \u0026quot;Rebase before merging\u0026quot; is enabled) and then enables the \u0026quot;Rebase before merging\u0026quot; option in the repository settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Branch Creation\u003c/strong\u003e: The attacker creates a new branch in their repository with a specially crafted name, such as \u003ccode\u003e--exec=touch${IFS}/tmp/rce_proof\u003c/code\u003e, which abuses the \u003ccode\u003egit rebase --exec\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePull Request Submission\u003c/strong\u003e: The attacker creates a pull request (PR) targeting their own repository's base branch from their malicious branch.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMerge Operation Initiation\u003c/strong\u003e: The attacker initiates the \u0026quot;Rebase before merging\u0026quot; operation for the malicious pull request through the Gogs web interface.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution\u003c/strong\u003e: During the rebase process, Gogs executes the \u003ccode\u003egit rebase\u003c/code\u003e command with the attacker's crafted branch name. Git interprets \u003ccode\u003e--exec=...\u003c/code\u003e as an argument, causing the embedded command (\u003ccode\u003etouch /tmp/rce_proof\u003c/code\u003e or a base64-encoded payload) to execute on the Gogs server as the Gogs process user (typically \u003ccode\u003egit\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eServer Compromise/Impact\u003c/strong\u003e: Despite a subsequent \u003ccode\u003egit checkout\u003c/code\u003e failure leading to an HTTP 500 error in Gogs, the RCE has already successfully completed, giving the attacker full control over the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to severe consequences, including full server compromise. An attacker gains arbitrary command execution as the Gogs process user, which can lead to cross-tenant data breaches, allowing them to read all repositories on the instance, including other users' private code. This can also facilitate credential theft, providing access to password hashes, API tokens, SSH keys, and 2FA secrets for every user. Furthermore, the attacker can use the compromised server for lateral movement into other internal systems and can conduct supply chain attacks by silently modifying any hosted repository's code. This critical vulnerability affects all Gogs installations regardless of the operating system (Linux, macOS, Windows) or deployment method (binary, Docker, source), posing a significant threat to the integrity and confidentiality of code hosted on Gogs instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch Immediately\u003c/strong\u003e: Upgrade Gogs to a version that contains the fix for GHSA-qf6p-p7ww-cwr9. As of the advisory, a patch was not explicitly mentioned, but the issue is tied to \u003ccode\u003eb53d3162\u003c/code\u003e commit. Monitor Gogs releases for official patch availability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Process Monitoring\u003c/strong\u003e: Deploy the Sigma rule in this brief to your SIEM to detect \u003ccode\u003egit rebase\u003c/code\u003e commands containing the \u003ccode\u003e--exec=\u003c/code\u003e argument. Ensure your endpoint detection and response (EDR) or Sysmon configuration captures process creation events, including command-line arguments and parent-child relationships, on Gogs server hosts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Gogs Configuration\u003c/strong\u003e: If patching is not immediately possible, consider disabling the \u0026quot;Rebase before merging\u0026quot; option globally or restricting user permissions to prevent its enablement on repositories until a patch is applied.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Gogs Application Logs\u003c/strong\u003e: Regularly review Gogs application logs for error messages indicating \u003ccode\u003egit checkout '--exec=\u0026lt;...\u0026gt;': exit status 128 - error: unknown option \\\u003c/code\u003eexec=\u0026lt;...\u0026gt;''`, which signifies a post-RCE attempt to check out the malicious branch.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:00:08Z","date_published":"2026-07-03T11:00:08Z","id":"https://feed.craftedsignal.io/briefs/2026-07-gogs-rce/","summary":"Gogs, a self-hosted Git service, is vulnerable to a Critical (CVSS 9.9) Remote Code Execution (RCE) via `git rebase --exec` argument injection (GHSA-qf6p-p7ww-cwr9) during pull request merge operations, allowing an authenticated attacker to execute arbitrary commands as the Gogs server process user and achieve full server compromise.","title":"Gogs Remote Code Execution via git rebase --exec Argument Injection (GHSA-qf6p-p7ww-cwr9)","url":"https://feed.craftedsignal.io/briefs/2026-07-gogs-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Gogs","version":"https://jsonfeed.org/version/1.1"}