Gogs patches critical zero-day enabling remote code execution
A critical zero-day vulnerability in Gogs, a self-hosted Git service, allows authenticated users without admin privileges to execute remote code on Internet-facing instances. The flaw, an argument injection vulnerability affecting all versions up to 0. 14. 2 and 0. 15. 0+dev, enables attackers to access any repositories including private ones, steal credentials, and alter source code. Exploitation requires at least basic user privileges, but default configurations with open registration allow unauthenticated attackers to create accounts and repositories, facilitating exploitation. Gogs released version 0. 14. 3 to patch this vulnerability on June 7, 2026.
AI Analysis
Technical Summary
The vulnerability is an argument injection flaw in the Merge() code path of Gogs, enabling remote code execution by authenticated users without admin rights. Since Gogs defaults to open registration and unlimited repository creation, attackers can self-register and create repositories to exploit the flaw. The vulnerability affects all Gogs versions up to 0.14.2 and 0.15.0+dev. The exploit chain allows attackers to compromise the server, read private repositories, steal credentials, move laterally, and modify source code. The issue was discovered by Rapid7 researcher Jonah Burgess and patched in Gogs version 0.14.3 via pull request #8301. Mitigations include disabling registration and limiting repository creation. This vulnerability is similar to previous argument injection flaws but affects a previously unaddressed code path.
Potential Impact
Successful exploitation allows attackers with basic user privileges to execute arbitrary code remotely on Gogs servers, access and modify any repositories including private ones, steal credentials, and perform lateral movement within the network. The vulnerability significantly compromises the confidentiality, integrity, and availability of the affected Gogs instances. Since default configurations enable open registration and unlimited repository creation, the attack surface is large, potentially allowing unauthenticated attackers to gain initial access by creating accounts and repositories. No active exploitation has been reported at this time.
Mitigation Recommendations
A patch is available in Gogs version 0.14.3 released on June 7, 2026, which fixes this critical vulnerability. All users are strongly advised to upgrade immediately. For those unable to patch promptly, Rapid7 recommends disabling user registration (set DISABLE_REGISTRATION = true in app.ini) to prevent untrusted account creation and restricting repository creation (set MAX_CREATION_LIMIT = 0) to block the easiest attack vector. Auditing and managing rebase merge settings can provide limited mitigation but are not fully effective against malicious repository owners or admins. These mitigations reduce risk until the official patch can be applied.
Gogs patches critical zero-day enabling remote code execution
Description
A critical zero-day vulnerability in Gogs, a self-hosted Git service, allows authenticated users without admin privileges to execute remote code on Internet-facing instances. The flaw, an argument injection vulnerability affecting all versions up to 0. 14. 2 and 0. 15. 0+dev, enables attackers to access any repositories including private ones, steal credentials, and alter source code. Exploitation requires at least basic user privileges, but default configurations with open registration allow unauthenticated attackers to create accounts and repositories, facilitating exploitation. Gogs released version 0. 14. 3 to patch this vulnerability on June 7, 2026.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability is an argument injection flaw in the Merge() code path of Gogs, enabling remote code execution by authenticated users without admin rights. Since Gogs defaults to open registration and unlimited repository creation, attackers can self-register and create repositories to exploit the flaw. The vulnerability affects all Gogs versions up to 0.14.2 and 0.15.0+dev. The exploit chain allows attackers to compromise the server, read private repositories, steal credentials, move laterally, and modify source code. The issue was discovered by Rapid7 researcher Jonah Burgess and patched in Gogs version 0.14.3 via pull request #8301. Mitigations include disabling registration and limiting repository creation. This vulnerability is similar to previous argument injection flaws but affects a previously unaddressed code path.
Potential Impact
Successful exploitation allows attackers with basic user privileges to execute arbitrary code remotely on Gogs servers, access and modify any repositories including private ones, steal credentials, and perform lateral movement within the network. The vulnerability significantly compromises the confidentiality, integrity, and availability of the affected Gogs instances. Since default configurations enable open registration and unlimited repository creation, the attack surface is large, potentially allowing unauthenticated attackers to gain initial access by creating accounts and repositories. No active exploitation has been reported at this time.
Mitigation Recommendations
A patch is available in Gogs version 0.14.3 released on June 7, 2026, which fixes this critical vulnerability. All users are strongly advised to upgrade immediately. For those unable to patch promptly, Rapid7 recommends disabling user registration (set DISABLE_REGISTRATION = true in app.ini) to prevent untrusted account creation and restricting repository creation (set MAX_CREATION_LIMIT = 0) to block the easiest attack vector. Auditing and managing rebase merge settings can provide limited mitigation but are not fully effective against malicious repository owners or admins. These mitigations reduce risk until the official patch can be applied.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/gogs-patches-critical-zero-day-enabling-remote-code-execution/","fetched":true,"fetchedAt":"2026-06-08T16:33:35.854Z","wordCount":924}
Threat ID: 6a26eedfe29bf47b502f366f
Added to database: 6/8/2026, 4:33:35 PM
Last enriched: 6/8/2026, 4:33:43 PM
Last updated: 6/8/2026, 6:56:21 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.