Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39904

CVE-2026-39904: Gophish Denial of Service Vulnerability

CVE-2026-39904 is a denial of service vulnerability in Gophish through 0.12.1 that allows authenticated users to exhaust server memory via crafted Office documents. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-39904 Overview

CVE-2026-39904 is a denial of service vulnerability in Gophish through version 0.12.1, an open-source phishing simulation framework. The flaw resides in the ApplyTemplate() function within models/attachment.go, which processes Office document attachments as ZIP archives without validating uncompressed file sizes. An authenticated user with the standard User role can upload a crafted Office document containing a zip bomb payload. When Gophish parses the attachment, ioutil.ReadAll() expands the contents into memory, consuming several gigabytes and triggering process termination by the operating system [CWE-770].

Critical Impact

Authenticated low-privilege attackers can crash the Gophish server by uploading a single malicious Office document, disrupting phishing simulation operations.

Affected Products

  • Gophish versions through 0.12.1
  • Gophish email template attachment processing component
  • Deployments exposing the User role to untrusted operators

Discovery Timeline

  • 2026-06-22 - CVE-2026-39904 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-39904

Vulnerability Analysis

The vulnerability is classified as Allocation of Resources Without Limits or Throttling [CWE-770]. Gophish accepts Office documents (.docx, .xlsx, .pptx) as email template attachments. These formats are ZIP-based containers. The ApplyTemplate() function in models/attachment.go iterates through ZIP entries and reads each into memory using ioutil.ReadAll(). The function does not enforce an upper bound on the decompressed size of any individual entry. An attacker can construct a zip bomb, where small compressed entries expand to gigabytes of data, exhausting available RAM and causing the Go runtime to be killed by the operating system out-of-memory handler.

Root Cause

The root cause is missing input validation on decompressed attachment content. Streaming reads without a size cap allow a malicious archive with a high compression ratio to allocate unbounded memory. The Go standard library archive/zip package exposes uncompressed size metadata, but the affected code path does not consult it before reading or cap the read operation with io.LimitReader.

Attack Vector

Exploitation requires an authenticated account with the User role, which is the lowest privilege tier in Gophish. The attacker uploads a crafted Office document as an email template attachment through the standard web interface. When the server invokes ApplyTemplate() to process the attachment for rendering, the zip bomb expands in memory. The Gophish process is terminated, denying service to all administrators and campaign operators until the daemon is restarted. The vulnerability mechanism is detailed in the GitHub proof-of-concept and the VulnCheck advisory.

Detection Methods for CVE-2026-39904

Indicators of Compromise

  • Gophish process crashes or restarts immediately following an attachment upload event
  • Operating system oom-killer log entries naming the gophish process in /var/log/syslog or journalctl
  • Unusually small Office document uploads (kilobytes) preceding rapid memory growth on the host
  • HTTP POST requests to /api/templates/ or /api/campaigns/ endpoints containing attachments with extreme compression ratios

Detection Strategies

  • Inspect uploaded Office attachments at the proxy or WAF layer and flag archives where any contained file declares an uncompressed size exceeding a sane threshold (for example, 50 MB)
  • Monitor Gophish host memory utilization for sudden spikes correlated with authenticated API activity
  • Correlate Gophish authentication logs with process termination events to identify which account submitted the triggering upload

Monitoring Recommendations

  • Enable verbose request logging on the Gophish admin interface to capture upload metadata
  • Forward host-level OOM events and Gophish service restarts to a centralized logging platform for alerting
  • Track attachment file hashes across uploads to identify repeated submission of a known malicious payload

How to Mitigate CVE-2026-39904

Immediate Actions Required

  • Restrict User role account creation to trusted operators only and audit existing accounts
  • Place Gophish behind an authenticated reverse proxy that inspects and size-limits multipart uploads
  • Apply per-process memory limits using systemdMemoryMax= or container resource constraints to bound damage from exploitation
  • Monitor the upstream Gophish repository for a patched release addressing ApplyTemplate() input validation

Patch Information

At the time of publication, no vendor patch is listed in the NVD entry for CVE-2026-39904. Refer to the VulnCheck advisory for the latest remediation status. Operators should track the official Gophish project for an updated release beyond 0.12.1.

Workarounds

  • Disable Office document attachments in phishing templates until a fix is available, using plain text or HTML-only templates
  • Deploy an upload gateway that rejects ZIP archives whose declared uncompressed size exceeds a configured limit
  • Run Gophish under systemd with a memory ceiling so an OOM event terminates only the service, not co-located workloads
bash
# Example systemd hardening to cap Gophish memory usage
# /etc/systemd/system/gophish.service.d/override.conf
[Service]
MemoryMax=1G
MemoryHigh=768M
Restart=on-failure
RestartSec=5s

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.