Impact Analysis

This vulnerability allows an attacker to leverage an authenticated victim’s browser to perform unauthorized filesystem changes on the goshs server.

• Delete files on the server (e.g., removing important data).
• Create new directories, potentially disrupting server operations or causing confusion.

Such unauthorized modifications can lead to high impact on the integrity and availability of the server's filesystem, potentially disrupting services or causing data loss.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying if the goshs server is running a vulnerable version (>= v2.0.0-beta.4 and <= v2.0.0-beta.5) and if it exposes state-changing HTTP GET routes such as ?delete and ?mkdir without CSRF protections.

One way to detect exploitation attempts is to monitor HTTP GET requests to these specific routes that perform destructive actions.

Suggested commands to verify the vulnerability and its exploitation include:

• Check the goshs version to confirm if it is within the vulnerable range.
• Use curl or similar tools to test the vulnerable endpoints, for example:
• curl -u username:password "http://<goshs-server-address>/victim.txt?delete"
• curl -u username:password "http://<goshs-server-address>/csrfmade?mkdir"

If these commands succeed in deleting files or creating directories, the server is vulnerable.

Additionally, monitoring logs for unexpected GET requests with these query parameters and checking for unauthorized filesystem changes can help detect exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade goshs to version 2.0.0-beta.6 or later, where this vulnerability is fixed.
• Avoid using HTTP GET requests for state-changing operations such as file deletion and directory creation.
• Implement CSRF protections, including per-request CSRF tokens and strict validation of Origin and Referer headers.
• Treat all rendered HTML content as untrusted and isolate it from issuing authenticated same-origin requests.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-40883 is a Cross-Site Request Forgery (CSRF) vulnerability in the Go-based web server "goshs" versions 2.0.0-beta.4 to 2.0.0-beta.5. The issue occurs because goshs uses HTTP GET routes for state-changing operations like file deletion (?delete) and directory creation (?mkdir), relying only on HTTP Basic Authentication without any CSRF, Origin, or Referer header validation.

An attacker can craft malicious web pages that cause an authenticated victim's browser to automatically send requests to the goshs server, triggering unauthorized file deletions and directory creations without the victim's knowledge or consent.

This happens because browsers automatically include cached HTTP Basic Auth credentials with subresource requests, allowing the attacker to exploit the lack of CSRF protections.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to perform unauthorized filesystem modifications such as deleting files and creating directories by exploiting cross-site request forgery (CSRF) in goshs. This can lead to high impact on integrity and availability of the system.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the unauthorized modification or deletion of files could potentially lead to violations of data integrity and availability requirements mandated by such regulations.

Organizations relying on goshs without proper CSRF protections and using only HTTP Basic Authentication may face risks related to unauthorized data manipulation, which could affect compliance with regulations that require safeguarding data integrity and availability.

Useful 0 Not Useful 0