Statement regarding GNU Savannah security reports

The Free Software Foundation announced that security researchers from Hacktron reported vulnerabilities in GNU Savannah in early May, which have since been patched. No evidence of sensitive data compromise or supply chain breach was found, but additional precautions are being taken. The FSF is communicating with hosted projects and other Savane instances to enhance security.

Statement regarding GNU Savannah security reports Free Software Foundation https://www.fsf.org/author/fsfweb Contributions https://www.fsf.org/contribs/fsfweb — Published on Jun 19, 2026 05:12 PM In early May, security researchers from Hacktron https://hacktron.ai reported vulnerabilities affecting GNU Savannah https://savannah.gnu.org and demonstrated an exploit. We have been working with these researchers since their initial report, and have also addressed additional security issues they submitted. All reported issues have been patched thanks to the hard work of GNU and FSF volunteers, as well as FSF staff. After thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah's software supply chain. Nevertheless, we take the security of the GNU system, the tools which make it possible, and the projects we host very seriously. This body of software has become essential to millions if not billions of users around the world. We are therefore taking additional precautionary steps. Though the initial security issue was reported to us in early May, the vulnerabilities were discovered in software that was published approximately two years prior. We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects. We have also communicated with the other Savane instances we're aware of to assist their review of their own environments, and take any steps needed to help protect their users. If you host your own instance of the Savane forge and believe you may be affected, you can contact us for guidance on mitigation steps and patching your systems. We thank Hacktron for informing us about these issues. As we have previously documented https://www.fsf.org/bulletin/2025/spring/defending-savannah-from-ddos-attacks , maintaining critical free software infrastructure requires sustained effort, specialized expertise, and long-term resilience. These requirements have increased exponentially in the last few years. Systems like Savannah support essential collaboration across the free software movement, and keeping them reliable and secure depends on the work of dedicated volunteers and staff. If you would like to help us with the increased security challenges we are facing, please consider becoming an associate member https://my.fsf.org/join or making a donation https://my.fsf.org/donate . This statement is intended as an initial notice. We expect to publish a report on the incident within 30 days.