CVE-2026-40885— goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40885
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access
Source: NVD (National Vulnerability Database)
Vulnerability Description
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
goshs 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
goshs是Patrick Hener个人开发者的一个用Go编写的简单HTTP Server。 goshs 2.0.0-beta.4至2.0.0-beta.5版本存在安全漏洞,该漏洞源于在未部署全局基本身份验证时,协作WebSocket广播原始请求标头,可能导致未经身份验证的观察者捕获并重放受害者特定文件夹的基本身份验证标头。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| patrickhener | goshs | >= 2.0.0-beta.4, < 2.0.0-beta.6 | - |
II. Public POCs for CVE-2026-40885
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40885
请登录查看更多情报信息。
Same Patch Batch · patrickhener · 2026-04-21 · 5 CVEs total
| CVE-2026-40884 | 9.8 CRITICAL | goshs: Empty-username SFTP password authentication bypass in goshs |
| CVE-2026-40903 | 9.1 CRITICAL | Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential Persistence |
| CVE-2026-40876 | SFTP root escape via prefix-based path validation in goshs | |
| CVE-2026-40883 | goshs: CSRF in state-changing GET routes enables authenticated file deletion and directory |
IV. Related Vulnerabilities
Same product: goshs
- CVE-2026-42091
goshs has Cross-Origin Arbitrary File Write via Missing CSRF - CVE-2026-40903
Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential - CVE-2026-40884
goshs: Empty-username SFTP password authentication bypass in - CVE-2026-40883
goshs: CSRF in state-changing GET routes enables authenticat - CVE-2026-40876
SFTP root escape via prefix-based path validation in goshs
Same vendor: patrickhener
- CVE-2026-42091
goshs has Cross-Origin Arbitrary File Write via Missing CSRF - CVE-2026-40903
Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential - CVE-2026-40884
goshs: Empty-username SFTP password authentication bypass in - CVE-2026-40883
goshs: CSRF in state-changing GET routes enables authenticat - CVE-2026-40876
SFTP root escape via prefix-based path validation in goshs
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2026-40885
No comments yet