Skip to content

New Rule - Gogs Rebase RCE Argument Injection via Git --exec Flag (Linux) #6039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
WRG-11 wants to merge 5 commits into from
+46 −0
Closed

New Rule - Gogs Rebase RCE Argument Injection via Git --exec Flag (Linux) #6039

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6b776e1
feat: add Gogs rebase RCE argument injection detection rule (Linux)
WRG-11 Jun 2, 2026
1805424
fix: express falsepositives as a concrete scenario per SigmaHQ conven…
WRG-11 Jun 2, 2026
0b37e28
style: drop forbidden YAML document-start marker (SigmaHQ yamllint do…
WRG-11 Jun 2, 2026
2e3fe6d
Add detection rule for CVE-2026-52806 exploitation
WRG-11 Jun 12, 2026
b80a7c6
Delete rules/linux/process_creation/proc_creation_lnx_gogs_rebase_rce…
WRG-11 Jun 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions ...merging-threats/2026/Exploits/CVE-2026-52806/proc_creation_lnx_exploit_cve_2026_52806.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
title: Potential CVE-2026-52806 Exploitation - Gogs Rebase Argument Injection RCE
id: c1c6a4a7-9795-5282-80c7-11da044740ae
status: experimental
description: |
Detects exploitation of CVE-2026-52806, an authenticated argument-injection remote code execution
(CWE-88, CVSSv4 9.4) in Gogs. A pull request with a malicious base-branch name injects an --exec flag
into the git rebase that Gogs runs during "Rebase before merging". Because the base branch name is passed
to git rebase without a -- separator, a branch named like --exec=<cmd> is interpreted by git as a flag and
the command runs via sh -c as the Gogs server user. Any authenticated user can exploit it; on instances
with open registration (the default) that means any user. A public Metasploit module exists
(multi/http/gogs_rebase_rce). Fixed in Gogs 0.14.3. The 0-FP discriminator is the parent process: the
exploit launches git rebase from the Gogs server process, whereas a legitimate git rebase --exec from a
developer shell or CI runner has a non-gogs parent and does not match.
references:
- https://www.rapid7.com/blog/post/ve-authenticated-rce-via-argument-injection-gogs-unfixed/
- https://thehackernews.com/2026/05/critical-gogs-rce-vulnerability-lets.html
- https://github.com/gogs/gogs/pull/8301
author: WRG-11
date: 2026-06-01
modified: 2026-06-12
tags:
- attack.execution
- attack.initial-access
- attack.t1059
- attack.t1190
- detection.emerging-threats
- cve.2026-52806
logsource:
category: process_creation
product: linux
detection:
selection_git_rebase:
Image|endswith: '/git'
CommandLine|contains: 'rebase'
selection_exec_injection:
CommandLine|contains:
- '--exec'
- ' -x '
selection_gogs_parent:
ParentImage|endswith: '/gogs'
condition: selection_git_rebase and selection_exec_injection and selection_gogs_parent
falsepositives:
- A deployment that intentionally runs 'git rebase --exec' as the Gogs service user (for example
a scripted maintenance task); add a CommandLine allowlist for that specific command after
field-testing.
level: critical
Loading