Gogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones).

This argument injection vulnerability has yet to be assigned a CVE ID, can only be exploited by authenticated attackers without admin privileges, and affects all Gogs releases up to and including 0.14.2 and 0.15.0+dev.

They can exploit this vulnerability to compromise the targeted server, read any repository (including private repos), steal credentials, move laterally to other systems on the network, and alter any hosted source code.

While threat actors would need at least basic user privileges to exploit the flaw, Rapid7 security researcher Jonah Burgess (who discovered and reported it) said it affects all Gogs servers with default configurations.

"Since Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and no limit on repository creation (MAX_CREATION_LIMIT = -1), an unauthenticated attacker can simply create an account and repository on any default-configured instance," Burgess warned two weeks ago.

"Any registered user who creates a repo is automatically its owner. From there, enabling rebase merging is a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user."

Over the weekend, 10 days after the cybersecurity company publicly disclosed it following a lack of response to multiple status updates, the Gogs maintainers released version 0.14.3 on June 7 to patch this flaw and requested a CVE ID.

"Rapid7 recommends that all Gogs users upgrade immediately. The fix was implemented via pull request #8301," Burgess added.

Rapid7 also shared mitigation measures for users who cannot patch their Gogs instances immediately, which require them to:

• Restrict user registration (DISABLE_REGISTRATION = true in app.ini) to prevent untrusted users from creating accounts. This is the most impactful mitigation since the exploit is self-contained within a single user's repository.
• Restrict repository creation (MAX_CREATION_LIMIT = 0 in app.ini) to prevent users from creating their own repos. This can also be set per-user via Max Repo Creation in the admin panel. This blocks the easiest attack path (creating a new repo with rebase enabled), but does not prevent exploitation by users with write access to existing repositories.
• Audit rebase merge settings: While "Rebase before merging" can be disabled per-repo under Settings > Advanced, note that this is not an effective defense against a malicious user who owns or has admin access to a repo, since they can re-enable rebase at will.

Written in Go and designed as an alternative to GitHub Enterprise or GitLab, Gogs is often exposed online as a remote collaboration platform.

Internet security watchdog Shadowserver currently tracks over 2,300 Internet-exposed Gogs servers, most of them in Asia (1,839) and Europe (312), while Shodan lists just over 1,000 IP addresses with a Gogs fingerprint.

​Burgess also said that this flaw is very similar to other argument-injection flaws that the Gogs security team has patched in recent years (e.g., CVE-2024-39933, CVE-2024-39932, CVE-2026-26194, and CVE-2024-39930), but it affects a different code path (Merge()) that was never addressed.

In early December 2026, Gogs patched another RCE vulnerability (CVE-2025-8110) after it was exploited in zero-day attacks to compromise hundreds of servers.

"Many of these instances are configured with 'Open Registration' enabled by default, creating a massive attack surface," Wiz security researchers (who reported the flaw) said.

On January 12, CISA confirmed that CVE-2025-8110 was being abused in the wild and added it to its catalog of actively exploited vulnerabilities, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their servers within three weeks, by February 2.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned at the time.