Rapid7 publishes unpatched Gogs argument-injection RCE with a Metasploit module; maintainer non-responsive

Rapid7 Labs disclosed on 2026-05-28 an authenticated-RCE zero-day in Gogs, the open-source self-hosted Git service. The root cause is in the Merge() function inside internal/database/pull.go: when the "Rebase before merging" strategy is invoked on a pull request, Gogs passes the source-branch name unsanitised to process.ExecDir, bypassing the safer git-module wrappers. An attacker creates a branch named e.g. --exec=<command>; when git rebase runs, that flag is interpreted as a --exec argument and the command executes under the Gogs service account. Affected: Gogs 0.14.2 and 0.15.0+dev (commit b53d3162); all prior versions that support the rebase-merge strategy are likely affected too. The maintainer acknowledged the report on 2026-03-28 (reported 2026-03-17) but has not shipped a fix; Rapid7 published after the standard 90-day window expired. Rapid7 also released a full Metasploit module covering Windows and Linux targets. Shodan shows ~1,141 internet-facing Gogs instances. Class is CWE-88 argument injection — same technique family as CVE-2024-39930 / 39932 / 39933 in prior Gogs disclosures. The Hacker News writeup corroborates and adds that no admin privileges are required, only account creation and repository access.

Why it matters to us: Self-hosted Gogs is common in European public-sector code and research infrastructure as a lightweight GitHub alternative. Until a patched fork (Gitea / Forgejo) is adopted, set DISABLE_REGISTRATION = true in app.ini, disable the Rebase before merging strategy under instance settings, and watch for git child processes carrying --exec under the Gogs binary's process tree (Sysmon EID 1 / auditd EXECVE).