CVE-2026-40885
Received Received - Intake
Authorization Header Exposure in goshs Allows Unauthorized File Access

Publication date: 2026-04-21

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40885
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
goshs goshs 2.0.0
goshs goshs 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability leads to leakage of sensitive file-based ACL credentials and allows unauthorized access to protected files, including reading, uploading, modifying, and deleting data. Such unauthorized data exposure and manipulation can result in non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Because an unauthenticated attacker can capture and replay authentication headers to gain full access to protected content, this vulnerability undermines confidentiality and integrity requirements mandated by these regulations.

Organizations using vulnerable versions of goshs without proper global authentication risk violating compliance obligations related to data security and privacy.

Impact Analysis

This vulnerability can have a significant impact by allowing unauthorized users to gain full access to protected files within goshs deployments that lack global basic authentication.

  • An attacker can capture and replay folder-specific basic authentication headers to bypass access controls.
  • The attacker can read sensitive files that should be protected.
  • The attacker can upload new files, potentially introducing malicious content.
  • The attacker can overwrite existing files, causing data corruption or loss.
  • The attacker can delete files within the protected subtree, leading to data loss.

Overall, this leads to a full compromise of confidentiality, integrity, and availability of the protected data.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized access to the collaborator websocket feed and inspecting if raw HTTP request headers, including Authorization headers, are being broadcasted publicly.

Specifically, you can check if goshs is running without global basic authentication (i.e., without the -b user:pass flag) and if the collaborator websocket is accessible without authentication.

To detect exploitation attempts or the presence of leaked credentials, you can use network monitoring tools to capture websocket traffic and look for Authorization headers being transmitted.

  • Use a websocket client or tool (e.g., wscat) to connect to the collaborator websocket endpoint and observe if raw request headers including Authorization are broadcasted.
  • Use network packet capture tools like tcpdump or Wireshark to monitor traffic on the websocket port and filter for Authorization headers.
  • Check the goshs server startup parameters to verify if global basic authentication is enabled (presence of -b user:pass flag).
Mitigation Strategies

Immediate mitigation steps include enabling global basic authentication on the goshs server by using the -b user:pass flag to protect the entire server.

Restrict access to the collaborator websocket and panel by enforcing authentication boundaries at least as strong as those protecting the resources.

Avoid broadcasting sensitive headers such as Authorization, Cookie, or Proxy-Authorization in collaborator events.

Update goshs to version 2.0.0-beta.6 or later, where this vulnerability is fixed.

Executive Summary

CVE-2026-40885 is a high-severity vulnerability in the Go package "goshs", versions from 2.0.0-beta.4 to 2.0.0-beta.5. The issue arises when goshs is deployed without global basic authentication, causing it to leak file-based ACL credentials through its public collaborator feed.

Specifically, requests to .goshs-protected folders are logged and broadcasted via a collaborator websocket before authorization checks are enforced. This means that raw HTTP request headers, including sensitive Authorization headers, are exposed publicly.

An unauthenticated observer connected to this collaborator websocket can capture a victim's folder-specific basic-auth header and replay it to gain unauthorized access to the protected folder.

  • The attacker can read, upload, overwrite, and delete files inside the protected subtree by replaying the stolen credentials.

This vulnerability is fixed in version 2.0.0-beta.6.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40885. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart