An Urgent Fix That Isn’t Coming: The Unpatched Gogs RCE Zero-Day

This omission means that if an attacker names their branch something like

--exec='malicious command'

git rebase

Attack details at a glance:

• Required access: Any standard, authenticated user account. Administrative privileges are not needed.
• Vector: A specially crafted pull request with a malicious branch name.
• Payload: The attacker injects the --exec flag, followed by their desired shell command.
• Affected versions: The latest releases, Gogs 0.14.2 and 0.15.0+dev, are confirmed vulnerable.
• Status: Unpatched. The flaw has no CVE identifier as of public disclosure on May 27, 2026.

Security researcher Jonah Burgess, who discovered the flaw for Rapid7 Labs, explained the mechanism bluntly: "The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into

git rebase

A Predictable Crisis: The Pattern of Maintainer Inaction

For those who have followed the Gogs project, this critical unpatched zero-day is not a surprise. It is the latest and most severe example of a multi-year pattern of security reports being met with silence from the project's primary—and in practice, sole—maintainer.

The timeline of neglect is well-documented by multiple independent research teams:

• July 2024 (SonarSource): Researchers publicly disclosed four unfixed vulnerabilities in Gogs, including multiple argument injection bugs and an internal file deletion flaw, all with critical CVSS 9.9 scores. They reported them to the maintainer, but after an initial acceptance, communication ceased and no patches ever materialized .
• November 2024 (Independent Researcher): A separate unpatched RCE via symlink traversal (CVE-2024-44625) was reported and entirely ignored, mirroring the SonarSource experience .
• December 2025 (Wiz Research): A zero-day path traversal bug (CVE-2025-8110) was discovered being actively exploited in the wild. It compromised over 700 internet-facing servers and led to an urgent warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added it to its Known Exploited Vulnerabilities catalog .
• May 2026 (NVD/SentinelOne): A new command injection bug (CVE-2026-26194) was reserved for a flaw in Gogs' release-deletion function, further adding to the list of Git option injection problems in the codebase .

This history has transformed the latest Rapid7 disclosure into something more than a security advisory. As one industry outlet put it, the situation is "a reminder of the limits of open source projects" when they depend on a single, unresponsive maintainer . With no effective multi-stakeholder governance, a widely used piece of critical infrastructure can become a permanent risk.

How to Protect Your Gogs Server Now

Since a software patch is not available, administrators must rely on configuration changes and network-level controls to neutralize the attack vector. The following steps stop the immediate threat and reduce the attack surface.

1. Disable "Rebase before merging" Immediately
This is the single most effective mitigation. The entire attack chain depends on this specific merge style. Changing repository or instance-wide settings to "Merge commit" or "Squash" eliminates the vulnerable code path entirely .

2. Restrict Network Access
The attack requires authenticated HTTP access to create a pull request. If your Gogs server does not need to be public, move it behind a VPN or firewall that only allows trusted internal users. This removes the platform from mass internet scanners and casual attackers.

3. Tighten User Registration and Permissions
Since any authenticated user can exploit this flaw, minimizing the number of accounts on the server is a key defense. Disable self-registration and manually approve new users. Immediately audit your user list and deactivate any stale or unknown accounts .

4. Monitor Pull Requests for Anomalies
Implement aggressive monitoring for pull request branch names that contain suspicious characters, including double dashes (--), semicolons, backticks, or clear shell command tokens like exec, curl, or wget. An unusual branch name is a strong indicator of an active exploit attempt .

5. Plan Your Long-Term Exit from Gogs
Given the documented pattern of unpatched critical vulnerabilities, continued reliance on Gogs is a strategic risk. The most feasible alternative is Gitea, a community-driven fork of Gogs that has a robust, multi-maintainer development team and a responsive security process. Several other major Git service platforms exist, but for teams that chose Gogs specifically for its lightweight, self-hosted nature, Gitea is a near drop-in replacement that eliminates the single-maintainer bottleneck .

6. Prepare for a Patch (If One Arrives)
Stay subscribed to the Gogs security page and GitHub releases. If a patch is eventually published, upgrade immediately. However, plan your security posture under the assumption that this pattern will repeat, and that a future critical vulnerability will again linger unpatched for months.