This vulnerability is an argument injection flaw in the Merge() code path of Gogs, a self-hosted Git service written in Go. It allows authenticated users without admin privileges to inject the "--exec" flag into the git rebase command during the 'Rebase before merging' operation, resulting in remote code execution as the Gogs server process user. Due to default settings that enable open registration and unlimited repository creation, attackers can easily create accounts and repositories to exploit this flaw. Successful exploitation permits attackers to compromise the server, access all repositories including private ones, extract credentials such as password hashes, API tokens, SSH keys, and 2FA secrets, and pivot to other network systems. The vulnerability was reported on March 17, 2026, but no patch or detailed response has been provided by the Gogs maintainers as of the publication date. This flaw is similar in nature to previously patched argument injection vulnerabilities but affects a previously unpatched code path.

The impact of this vulnerability is critical. Attackers can achieve remote code execution on Gogs servers, leading to full compromise of the affected system. This includes unauthorized access to all repositories hosted on the server, including private repositories, theft of sensitive credentials, and potential lateral movement to other networked systems. The flaw affects all Gogs servers with default configurations, which are common, thereby increasing the attack surface significantly. No active exploitation has been reported yet, but the exposure of thousands of Gogs servers online, especially in Asia and Europe, presents a substantial risk.

As of the latest information, no official patch or fix is available from the Gogs maintainers. The vulnerability remains unpatched despite being reported months ago. Organizations using Gogs should consider disabling open registration and limiting repository creation as temporary mitigations to reduce the attack surface. Monitoring for unusual repository creation and merge operations may help detect exploitation attempts. Users should follow updates from the Gogs maintainers closely and apply any official patches immediately once released. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.