A serious security vulnerability has been disclosed in Git, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions.
According to Rapid7 the security flaw has been rated 9.4 on the CVSS scoring system. It does not contain a CVE identifier.
“This vulnerability allows any authenticated user to achieve remote code execution (RCE) on a server by creating a pull request with a malicious branch name that injects the –exec flag into git rebase during a ‘rebase before merging’ merge operation,” said security researcher Jonah Burgess.
Rebasing is a Git action used to take a sequence of commits from a feature branch and re-run them on top of another base branch to create a linear project history. While “git rebase” solves the same problem as “git merge” – that is, integrating changes from one branch into another – the former rewrites the project history by creating a new commit for each commit in the parent branch.
The “git rebase” action also accepts as an argument a shell command via the –exec flag that is executed after redoing each commit. A notable aspect of the vulnerability is that it does not require administrative privileges or interaction with other users. To execute the attack, an unauthenticated threat actor would need to create an account and repository on any default-configured instance.
“Any registered user who creates a repo automatically owns it,” Burgess said. “From there, enabling rebase merging is a single toggle in Settings, and the entire exploit chain can be conducted without another user interacting.”
In an alternative scenario, a user with write access to the repository where rebase is already enabled could directly exploit the flaw to gain code execution. On GOGS instances where repository creation is restricted, an attacker needs write access to any repository that has rebase merging enabled.
At the time of writing, the vulnerability persists despite it being reported to the maintainer on March 17, 2026. Successful exploitation of the bug could give an attacker the ability to breach the server, access every repository on the instance, dump credentials, move to other network-accessible systems, and tamper with the code of any hosted repository.
Furthermore, it could result in a cross-tenant data breach, allowing an attacker to read the private repositories of other users hosted on the same shared server. According to Rapid7, the flaw affects all supported platforms, such as Windows, Linux, and macOS.
There are an estimated 1,141 Internet-facing Google examples. However, the actual figure is expected to be higher, given that most deployments are placed behind VPNs or internal networks.
In the absence of a patch, the following recommendations are mentioned –
- Restrict user registration to prevent untrusted users from creating accounts (DISABLE_REGISTRATION = TRUE in app.ini)
- Restrict repository creation to prevent users from creating their own repositories (MAX_CREATION_LIMIT = 0 in app.ini)
- audit rebase merge settings
Rapid7 has also created a Metasploit module that automates the full exploit chain against both Linux and Windows targets. The module supports two modes: a default mode where a temporary repository is created under the attacker’s account, the exploit is run, and the repository is deleted. The second approach targets a repository to which the attacker already has access to write and merge.
“When the attacker creates and deletes his own repository, the only trace in the server log is an HTTP 500,” the cybersecurity expert said. “When exploiting existing reserves, additional artifacts remain.”
