{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40885", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.719Z", "datePublished": "2026-04-21T19:40:37.272Z", "dateUpdated": "2026-04-21T20:05:26.627Z"}, "containers": {"cna": {"title": "goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp"}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"version": ">= 2.0.0-beta.4, < 2.0.0-beta.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:40:37.272Z"}, "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6."}], "source": {"advisory": "GHSA-7h3j-592v-jcrp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:05:21.029819Z", "id": "CVE-2026-40885", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:05:26.627Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40885", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T20:05:21.029819Z"}}}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:05:14.784Z"}}], "cna": {"title": "goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access", "source": {"advisory": "GHSA-7h3j-592v-jcrp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"status": "affected", "version": ">= 2.0.0-beta.4, < 2.0.0-beta.6"}]}], "references": [{"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp", "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:40:37.272Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40885", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:05:26.627Z", "dateReserved": "2026-04-15T15:57:41.719Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:40:37.272Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta4:*:*:*:go:*:*", "matchCriteriaId": "486D1F77-023B-4EB9-8B49-17EF6546F2DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta5:*:*:*:go:*:*", "matchCriteriaId": "5834E73F-2EF9-42BD-BE8B-DE087A19A132", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6."}], "id": "CVE-2026-40885", "lastModified": "2026-04-27T14:51:50.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:02.257", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0-beta.4,2.0.0-beta.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "goshs", "source": "cna", "vendor": "patrickhener"}, "product": "goshs", "vendor": "patrickhener"}], "analysis": {"en": {"generated_at": "2026-04-28T16:16:01.441018+00:00", "value": {"mitigation_remediation": ["Upgrade to goshs 2.0.0\u2011beta.6 or later, which removes the credential leak from the collaborator feed.", "Enable global Basic Authentication on the server to prevent the leak; the authorization header will no longer be transmitted openly.", "Restrict network access to the collaborator feed or the .goshs\u2011protected directories (e.g., via firewall rules or IP whitelisting) to limit exposure to trusted hosts."], "summary": {"action": "Immediate Patch", "impact": "Information disclosure and unauthorized access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open\u2011source SimpleHTTPServer \u201cgoshs\u201d produced by patrickhener. The issue is present in releases 2.0.0\u2011beta.4 to 2.0.0\u2011beta.5, and only occurs when the server is run without global basic authentication. The fix is delivered in 2.0.0\u2011beta.6. Organizations running any affected version should identify installations and confirm they are not exposed to public collaborator feeds.", "description_and_impact": "goshs version 2.0.0-beta.4 through 2.0.0-beta.5 leaks file\u2011based access\u2011control list credentials via its public collaborator feed. The server publishes raw request headers\u2014including Basic Authorization headers for protected folders\u2014before enforcing authentication on incoming requests. An attacker who observes the feed can capture a victim\u2019s folder\u2011specific Authorization header and replay it to read, upload, overwrite, or delete files within the protected subtree. The weakness is a classic information\u2011disclosure flaw (CWE\u2011200) that also enables unauthorized access to confidential data and operations.", "risk_and_exploitability": "The CVSS score of 7.7 indicates a high severity. The EPSS score of 0.0009 indicates a very low probability of exploitation, and the vulnerability is not listed in the KEV catalog. An unauthenticated observer that can reach the public collaborator feed and the protected folders (typically via the same network or the Internet if the feed is exposed) can easily capture the Authorization header. Because the credential leakage occurs in a public channel, the attack vector is likely remote over the network. The exploitation requires no special privileges beyond access to the feed, making this a straightforward privilege\u2011escalation scenario for anyone who can observe the traffic."}}}}, "created": "2026-04-22T05:30:09.558875+00:00", "updated": "2026-04-28T16:30:35.081779+00:00", "vendors": ["patrickhener", "patrickhener$PRODUCT$goshs"]}