Primary

Context

GitBucket Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in GitBucket version 4.23.1. This vulnerability allows unauthenticated attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload capabilities. Attackers can brute-force the Blowfish encryption key, upload a malicious JAR plugin through the git-lfs endpoint, and execute system commands via an exposed exploit endpoint.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server where GitBucket is running.

Reproduction

The vulnerability can be reproduced by first brute-forcing the Blowfish encryption key, which is used to authorize file uploads through the git-lfs endpoint. Once the key is obtained, a malicious JAR file can be uploaded as a plugin. After the plugin is loaded, commands can be executed on the system through the exploit endpoint.

Remediation

Users are advised to update GitBucket to version 4.24.1 or later.

Added: May 17, 2026, 1:24 PM

Updated: May 17, 2026, 1:24 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

8.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

8.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GitBucket Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

GitBucket

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating