April 28, 2026
Bad carrot, bigger chaos
Carrot Disclosure: Forgejo
Fedora’s new code home gets blasted, and the comments are an all-out food fight
TLDR: A researcher says Forgejo, the platform behind Fedora’s new code home, has serious holes and posted proof of a server takeover on a test setup. Commenters are split between calling it a crucial warning and dismissing it as theatrical rage bait, which matters because many projects trust this software.
A security researcher dropped a very dramatic warning about Forgejo, the code-hosting platform Fedora now uses, claiming they found a chain of bugs that could end in full control of a server. Instead of publishing the full recipe, they went with what they cheekily called “carrot disclosure”: basically, look, I can do this, now fix your house. The proof they posted showed a backdoor admin account and command execution on a test server — which was enough to send readers straight into the comments for a full-on brawl.
And wow, the crowd did not agree on what they were seeing. One camp treated the post like a giant red alarm, especially after commenters pointed out the author had already sent multiple pull requests fixing what they called fundamental security flaws. The other camp called the whole thing “rage bait”, saying the write-up was vague, theatrical, and weirdly angry at Forgejo for having a security reporting process at all. Forgejo’s own response only turned up the heat: they said there was no known path to full server takeover without internal credentials, framing the issues more as safety improvements and denial-of-service risks than apocalypse-now.
The funniest reaction? People immediately turned the author’s carrot metaphor into a meme. Between “Bugs Bunnies,” refund demands for wasted reading time, and one commenter retelling an old cryptography parable about endlessly “fixing” a broken design, the real show wasn’t the exploit — it was the comment section deciding whether this was a heroic wake-up call or a grandstanding stunt.
Key Points
- •The author says a review of Forgejo after Fedora’s migration from Pagure uncovered multiple security weaknesses across web, authentication, cryptographic, and availability areas.
- •The article claims these issues can be chained into remote code execution, secret leakage, persistent account access, and OAuth2 privilege escalation.
- •According to the post, the exploit requires open registration and a non-default configuration setting, which the author says exists on some real instances.
- •Rather than fully disclosing the bugs, the author proposes a 'carrot disclosure' approach that publishes only redacted exploit output to demonstrate exploitability.
- •The post includes proof-of-concept output showing creation of a backdoor admin account, command execution confirmation, and hashes/listings for the PoC files.