CVE-2026-40885: gosh public collaborator feed leaks Basic Auth credentials

Vulnerability Summary: Public collaborator feed leaks .gosh ACL credentials Vulnerability Overview Vulnerability Name: Public collaborator feed leaks .gosh ACL credentials and enables unauthorized access CVE ID: CVE-2026-40885 Severity: High (7.7 / 10) Affected Versions: >= v2.0.0-beta.4, <= v2.0.0-beta.5 Fixed Version: v2.0.0-beta.6 Description: When the server is deployed without global basic authentication, its public collaborator feed leaks file-based ACL credentials. 1. Requests to the protected folder are logged before authorization enforcement. 2. The collaborator websocket broadcasts raw request headers, including . 3. Unauthorized observers can capture the victim’s folder-specific basic-auth request headers and reuse them to read, upload, overwrite, or delete files within the protected subtree. Impact Scope Confidentiality: High Integrity: High Availability: High Attack Vector: Network Attack Complexity: Low Attack Requirements: Present Privileges Required: None User Interaction: Passive Specific Impact: Any unauthorized observer accessing the public collaborator websocket can steal folder-level basic-auth credentials from the victim’s requests and immediately reuse them to read, upload, overwrite, or delete files inside the protected subtree. Deployments relying on public collaborator access while selectively protecting subfolders are directly exposed. Remediation 1. Do not store or broadcast sensitive headers such as , , or in collaborator events. 2. Move collaborator logging after access control checks, and log only minimal metadata instead of raw headers and bodies. 3. Protect the collaborator websocket and dashboard using the same or stronger authentication boundary as the resource being observed. POC Code Manual Verification Command (Terminal 1) Manual Verification Command (Terminal 2) Manual Verification Command (Terminal 3) Local Verification Command Single Script Verification (gosh_poc4)

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-40885: gosh public collaborator feed leaks Basic Auth credentials

More from this source