CVE-2024-39932
Description
Gogs through 0.13.0 argument injection during changes preview allows unprivileged users to write arbitrary files and gain admin rights.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gogs through 0.13.0 argument injection during changes preview allows unprivileged users to write arbitrary files and gain admin rights.
Vulnerability
CVE-2024-39932 is an argument injection vulnerability in Gogs, a self-hosted Git service, affecting versions through 0.13.0. The flaw occurs during the previewing of changes, where unintended Git options are passed, leading to injection [1][4].
Exploitation
An unprivileged user account can exploit this by crafting a request to the changes preview feature. No authentication is required beyond having a user account; the attack is network-based and can be executed by any authenticated user with access to create or modify repositories [4].
Impact
Successful exploitation allows an attacker to write arbitrary files on the file system. This can be leveraged to force a re-installation of the Gogs instance, thereby granting administrator rights. The attacker can then access and alter any user's code hosted on the instance, potentially stealing source code or planting backdoors [1][4].
Mitigation
The official patch ignores unintended Git options for diff preview (#7871). Users should upgrade to Gogs 0.13.1 or the latest 0.14.0+dev. No viable workaround is available; restricting access to trusted users is recommended but does not fully mitigate the risk [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.13.1 | 0.13.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- github.com/advisories/GHSA-9pp6-wq8c-3w2cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-39932ghsaADVISORY
- github.com/gogs/gogs/security/advisories/GHSA-9pp6-wq8c-3w2cghsaWEB
- www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1ghsaWEB
- github.com/gogs/gogs/releasesmitre
- www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vulnerabilities-in-gogs-1/mitre
News mentions
3- Gogs patches critical zero-day enabling remote code executionBleepingComputer · Jun 8, 2026
- New Gogs zero-day flaw lets hackers get remote code executionBleepingComputer · May 28, 2026
- CVE-2026-52806: Authenticated RCE via Argument Injection in Gogs (FIXED as of June 7, 2026)Rapid7 Blog · May 28, 2026