CVE-2026-40885
Authorization Header Exposure in goshs Allows Unauthorized File Access
Publication date: 2026-04-21
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goshs | goshs | 2.0.0 |
| goshs | goshs | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40885 is a high-severity vulnerability in the Go package "goshs", versions from 2.0.0-beta.4 to 2.0.0-beta.5. The issue arises when goshs is deployed without global basic authentication, causing it to leak file-based ACL credentials through its public collaborator feed.
Specifically, requests to .goshs-protected folders are logged and broadcasted via a collaborator websocket before authorization checks are enforced. This means that raw HTTP request headers, including sensitive Authorization headers, are exposed publicly.
An unauthenticated observer connected to this collaborator websocket can capture a victim's folder-specific basic-auth header and replay it to gain unauthorized access to the protected folder.
- The attacker can read, upload, overwrite, and delete files inside the protected subtree by replaying the stolen credentials.
This vulnerability is fixed in version 2.0.0-beta.6.
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing unauthorized users to gain full access to protected files within goshs deployments that lack global basic authentication.
- An attacker can capture and replay folder-specific basic authentication headers to bypass access controls.
- The attacker can read sensitive files that should be protected.
- The attacker can upload new files, potentially introducing malicious content.
- The attacker can overwrite existing files, causing data corruption or loss.
- The attacker can delete files within the protected subtree, leading to data loss.
Overall, this leads to a full compromise of confidentiality, integrity, and availability of the protected data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized access to the collaborator websocket feed and inspecting if raw HTTP request headers, including Authorization headers, are being broadcasted publicly.
Specifically, you can check if goshs is running without global basic authentication (i.e., without the -b user:pass flag) and if the collaborator websocket is accessible without authentication.
To detect exploitation attempts or the presence of leaked credentials, you can use network monitoring tools to capture websocket traffic and look for Authorization headers being transmitted.
- Use a websocket client or tool (e.g., wscat) to connect to the collaborator websocket endpoint and observe if raw request headers including Authorization are broadcasted.
- Use network packet capture tools like tcpdump or Wireshark to monitor traffic on the websocket port and filter for Authorization headers.
- Check the goshs server startup parameters to verify if global basic authentication is enabled (presence of -b user:pass flag).
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enabling global basic authentication on the goshs server by using the -b user:pass flag to protect the entire server.
Restrict access to the collaborator websocket and panel by enforcing authentication boundaries at least as strong as those protecting the resources.
Avoid broadcasting sensitive headers such as Authorization, Cookie, or Proxy-Authorization in collaborator events.
Update goshs to version 2.0.0-beta.6 or later, where this vulnerability is fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability leads to leakage of sensitive file-based ACL credentials and allows unauthorized access to protected files, including reading, uploading, modifying, and deleting data. Such unauthorized data exposure and manipulation can result in non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.
Because an unauthenticated attacker can capture and replay authentication headers to gain full access to protected content, this vulnerability undermines confidentiality and integrity requirements mandated by these regulations.
Organizations using vulnerable versions of goshs without proper global authentication risk violating compliance obligations related to data security and privacy.