A major security flaw has been found in Gogs, a well-known free tool that people use to host their own Git code repositories. This software bug allows anyone who can log into the system to run harmful code on the main server. Security experts at Rapid7 gave this flaw a nearly perfect danger score of 9.4 out of 10, though it has not yet been given an official tracking number.

The issue comes down to how the system handles a common code-sharing feature. According to security researcher Jonah Burgess, a hacker can take over the server by sending a specific kind of code update request, known as a pull request. By naming their code branch in a tricky way, they can sneak a dangerous command into the system when the server tries to clean up and combine the code.

How the Hack Works Under the Hood

To understand why this happens, you have to look at how Gogs merges code. Programmers often use a feature called “git rebase” to rewrite code history and keep things organized. However, this feature also has a hidden function that lets users run a quick command on the computer right after updating the history. The Gogs software fails to double-check the names of the code branches, which allows hackers to abuse this hidden function.

What makes this vulnerability so scary is that a hacker does not need to be a system administrator to pull it off. They do not even need to trick another user into clicking a link. On a standard Gogs setup, a bad actor just needs to sign up for a free account and start a new project.

Because the system automatically makes them the boss of their own project, they can turn on the dangerous code-merging setting with one click. From there, they can run the entire attack by themselves in seconds. If a server blocks people from making new accounts, a hacker can still pull off the attack if they already have permission to edit just one existing project.

The Severe Risks and How to Stop It

Right now, the creators of Gogs have not fixed this problem, even though researchers warned them about it back in March 2026. If a hacker successfully exploits this bug, the consequences could be devastating. They could break into the underlying server, steal every single piece of code stored on the system, grab secret passwords, and jump into other private company computers. Even worse, on shared servers, a hacker could easily peek into private projects belonging to completely different companies or users.

Experts state that this flaw endangers Gogs installations running on Windows, Linux, and Mac computers. Right now, there are well over a thousand of these systems openly connected to the internet, and likely many more hidden inside private corporate networks.

Since there is no official fix yet, server owners need to protect themselves immediately. Experts suggest turning off public registration so strangers cannot make new accounts. Owners should also change settings to stop regular users from starting new projects, and double-check who has permission to merge code. To make matters worse, a free hacking tool has already been released to the public that automates this entire attack, meaning almost anyone can execute it with minimal effort.