Vulnerability
Security Patch Release
Gogs Rebase Injection Remote Code Execution and 0.14.3 Patch Response
Updated 08.06.2026 19:18
Case score 59
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 59
- Main story score
- 59
- Related evidence lift
- +0 / 20
- Contributing updates
- 0
- Context updates
- 1
Top contributors
- Vulnerability Defines the affected versions, exploit path, exposure conditions, and compromise impact of the Gogs rebase argument injection flaw. main
- Security Patch Release Adds the confirmed 0.14.3 fix, immediate upgrade guidance, and interim hardening steps for operators. context
Title history
-
Old: Unpatched Gogs Rebase Injection Remote Code Execution RiskNew: Gogs Rebase Injection Remote Code Execution and 0.14.3 Patch ResponseWhy old title changed: The previous title says the issue is unpatched, but Gogs has now released version 0.14.3 to fix the flaw.The new title preserves the core Gogs remote code execution framing while reflecting the now-central reader priority: immediate patch response after the 0.14.3 release.
Case score 59
Members 2
Latest activity 08.06.2026 19:18
Patch available
Members 2
First seen 28.05.2026 17:25
Last seen 08.06.2026 19:18
Updated 08.06.2026 19:18
Overview
A critical **Gogs** argument injection flaw in the **Rebase before merging** workflow exposed Internet-facing servers to authenticated remote code execution until **version 0.14.3** shipped on June 7, 2026. The flaw affects releases up to **0.14.2** and **0.15.0+dev**, and default open registration plus unrestricted repository creation can lower the barrier to reach the vulnerable path on exposed deployments.
Successful abuse could expose private repositories and sensitive secrets while enabling unauthorized code changes or further movement from the server. Available evidence still does not confirm in-the-wild exploitation of this specific flaw, but operators now have a vendor fix and interim hardening steps if patching must wait.
A critical argument injection flaw in **Gogs** allowed an authenticated, non-admin user to gain remote code execution through the **Rebase before merging** workflow on exposed servers. Affected releases ran through **0.14.2** and **0.15.0+dev**, and a malicious branch name could inject the `--exec` flag into `git rebase` during merge processing. Default deployments with open registration and unlimited repository creation lowered the barrier to reach the vulnerable path, because an attacker could create an account and repository before triggering it. Successful abuse could run code as the Gogs server process user, expose private repositories, **password hashes**, **API tokens**, **SSH keys**, and **2FA secrets**, and enable unauthorized code changes or movement to other reachable systems.
The issue was reported on **March 17**, acknowledged on **March 28**, and public technical details were released on **May 28** while the flaw was still unpatched. Gogs released **version 0.14.3** on **June 7, 2026** to fix the flaw affecting releases up to **0.14.2** and **0.15.0+dev**, shifting response from workaround planning to immediate upgrade. If patching must wait, operators were advised to restrict registration, limit repository creation, and review rebase merge settings to reduce the easiest attack paths. Available material also noted more than **2,400** Internet-facing Gogs servers, concentrated in **Asia** and **Europe**. Available evidence did not confirm in-the-wild exploitation of this specific flaw.
Signals
2 derivedImpact signals
Remediation
Urgency
Immediate
Remediation
Patch available
Member happenings
2 related
Vulnerability
Gogs self-hosted Git service argument injection zero-day remote code execution flaw
Data Type
Passwords
Patch
No Patch
Vulnerability
Gogs self-hosted Git service argument injection zero-day remote code execution flaw
Data Type
Passwords
Patch
No Patch
Security Patch Release
Gogs 0.14.3 security update for argument injection flaw
Urgency
Immediate
Patch
Patch Available
Security Patch Release
Gogs 0.14.3 security update for argument injection flaw
Urgency
Immediate
Patch
Patch Available