Carrot Disclosure: Forgejo Security Findings

Date of Data Posted: 2026-04-28

What You Need to Be Aware Of

  • Forgejo, the Git forge adopted by Fedora, has a wide range of security weaknesses including SSRF, missing CSP/Trusted‑Types, and cryptographic misconfigurations.
  • Vulnerabilities span authentication (OAuth2, OTP, session handling), denial‑of‑service vectors, information leakage, and several TOCTOU bugs that can lead to remote code execution (RCE).

How It Might Effect You

  • Operational Impact: An attacker could gain persistent admin access via a chain of exploits, potentially compromising repositories, CI pipelines, and user data.
  • Compliance & Reputation: Publicly disclosed flaws may violate privacy regulations if sensitive information is leaked and can erode trust in your code‑hosting platform.

Mitigation Steps

  1. Immediate Actions – If you host a Forgejo instance:
    • Disable open registration or restrict it to trusted users until the issue is patched.
    • Apply any available security patches from the official release channel (check the project’s GitHub for updated tags).
  2. Long‑Term Measures
    • Conduct an internal audit of your Forgejo deployment, focusing on the identified weaknesses: enable CSP headers, enforce OAuth2 best practices, and review cryptographic key handling.
    • Adopt a carrot disclosure approach: share a redacted proof‑of‑concept with Forgejo maintainers to incentivise a comprehensive fix rather than patching each issue individually.

Sources
Carrot Disclosure: Forgejo2026-04-28
Daily.dev post on Carrot Disclosure2026-04-28

Risk Assessment: High (multiple critical vulnerabilities, RCE chain demonstrated).