Description
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. This vulnerability is fixed in 0.14.3.
Published: 2026-06-24
Score: 9.9 Critical
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gogs, an open‑source self‑hosted Git service, contains an OS command injection flaw that allows an authenticated user to trigger remote code execution on the server. By creating a pull request with a specially crafted branch name, the user can inject the --exec flag into the git rebase command executed during the "Rebase before merging" merge operation, allowing arbitrary commands to run under the service process. The vulnerability is categorized as CWE‑77 and carries a high impact score of 9.9 on the CVSS scale.

Affected Systems

All Gogs installations running a version prior to 0.14.3 are affected. The flaw applies to every instance that permits authenticated users to create pull requests and use the rebase‑before‑merge merge strategy. Users operating older releases should identify the exact version of Gogs deployed and verify whether it is below the fixed release.

Risk and Exploitability

This issue is high severity and is not listed in the CISA KEV catalog. The exploitation requires only that the attacker be authenticated with sufficient privileges to create pull requests, which is typical for repository collaborators. Because the flaw directly invokes a shell command with user‑controlled input, the risk of successful exploitation is significant. The EPSS score of 1% indicates a low but nonzero exploitation probability.

Generated by OpenCVE AI on June 25, 2026 at 14:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.3 or newer as released by the maintainers.
  • If immediate upgrade is not possible, disable the "Rebase before merging" feature in the repository settings or restrict it to users who require it.
  • Implement a branch naming policy that forbids the use of characters that could be interpreted by the git rebase command (e.g., "--exec").

Generated by OpenCVE AI on June 25, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qf6p-p7ww-cwr9 Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
Vendors & Products Gogs
Gogs gogs

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. This vulnerability is fixed in 0.14.3.
Title Gogs: RCE via git rebase --exec argument injection in pull request merge
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T03:55:44.022Z

Reserved: 2026-06-08T18:02:19.731Z

Link: CVE-2026-52806

cve-icon Vulnrichment

Updated: 2026-06-25T12:39:18.336Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T14:45:02Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')