CVE-2026-42503
Awaiting Analysis Awaiting Analysis - Queue
Remote Code Execution in gopls Debug Mode

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: Go Project

Description
gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0.  As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42503
EUVD
EUVD-2026-27872
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang gopls *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1327 The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in gopls arises because it normally communicates via pipe, but supports -port and -listen flags for debugging purposes.

If the -listen flag is given a value without specifying a host (for example, :8080), or if the -port flag is used, gopls will listen on all network interfaces (0.0.0.0).

This behavior can cause gopls to unintentionally bind to 0.0.0.0, exposing it to the network.

As a result, a malicious party on the same network could exploit this to execute arbitrary code via gopls.

Impact Analysis

This vulnerability can have serious impacts including unauthorized remote code execution by attackers on the same network.

Because gopls may listen on all interfaces unintentionally, attackers could gain control over the system running gopls.

This could lead to compromise of confidentiality, integrity, and availability of the affected system.

Compliance Impact

The vulnerability in gopls allows a malicious party on the same network to execute arbitrary code remotely if certain debugging flags are used improperly, causing gopls to listen on all network interfaces (0.0.0.0).

This exposure could lead to unauthorized access and control over systems running gopls, potentially resulting in data breaches or unauthorized data processing.

Such unauthorized access and potential data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Detection Guidance

This vulnerability can be detected by checking if gopls is listening on all network interfaces (0.0.0.0) due to the use of the -port or -listen flags without an explicit host.

You can use network scanning or system commands to detect if gopls is bound to 0.0.0.0 on a specific port.

  • Use netstat or ss to check listening ports and interfaces, for example: netstat -tuln | grep LISTEN or ss -tuln | grep LISTEN
  • Look specifically for gopls processes listening on 0.0.0.0 by running: sudo lsof -i -P -n | grep gopls
  • Use nmap from another machine on the same network to scan for open gopls ports, e.g., nmap -p 8080 <target-ip>
Mitigation Strategies

To mitigate this vulnerability, avoid using the -port or -listen flags without specifying an explicit host when running gopls.

Ensure that gopls does not bind to 0.0.0.0 by default, and restrict its listening interface to localhost or a specific IP address.

If debugging is necessary, specify the host explicitly with the -listen flag (e.g., 127.0.0.1:8080) to prevent exposure on all interfaces.

Additionally, monitor your network for unexpected gopls listening services and restrict network access to trusted users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42503. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart