Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code

A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions. The security flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It does not have a CVE identifier. "The vulnerability allows any authenticated user to achieve remote code execution (RCE) on

The article reports a critical, unpatched remote code execution vulnerability in Gogs, a self-hosted Git service, that allows any authenticated user to execute arbitrary code by abusing a malicious branch name during a 'Rebase before merging' operation, with a CVSS score of 9.4 and no CVE assigned.[1] Successful exploitation lets attackers fully compromise the Gogs server, access all repositories, dump credentials, move laterally, and read private, cross-tenant repositories, with over a thousand internet-facing instances identified and a Metasploit module publicly available.[1] From a CyberSE.AI perspective, any AI development or MLOps pipelines that rely on Gogs as a code or model repository face elevated supply chain risk: an attacker with low-privilege access could tamper with application code, AI agents, or model artifacts, silently poisoning builds or inserting backdoors. Organizations should treat Gogs as a critical component in the AI software supply chain, implement strong network isolation and account controls, and include Gogs instances in SBOM-driven monitoring and continuous vulnerability management until an official patch is available.