CVE-2026-40885
Published: 21 April 2026
Summary
CVE-2026-40885 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Goshs Goshs. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the software defect in goshs that leaks credentials via pre-authorization logging and WebSocket broadcasts by requiring timely patching to the fixed version.
Public access protections filter sensitive information, such as Authorization headers, prior to transmission over the public collaborator WebSocket feed.
Controls on publicly accessible content restrict transmission of sensitive credential information through the collaborator feed without proper authorization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability affects a public-facing web server allowing exploitation via T1190 to leak basic-auth credentials through the public collaborator feed; the attacker can then replay the captured credentials to authenticate and access protected resources via T1078.
NVD Description
goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced,…
more
and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6.
Deeper analysisAI
CVE-2026-40885 affects goshs, a SimpleHTTPServer written in Go, specifically versions from 2.0.0-beta.4 to 2.0.0-beta.5. The vulnerability involves the leakage of file-based access control list (ACL) credentials through the server's public collaborator feed when deployed without global basic authentication. Requests to .goshs-protected folders are logged prior to authorization enforcement, and the collaborator WebSocket broadcasts raw request headers, including the Authorization header, exposing folder-specific basic-auth credentials.
An unauthenticated observer can exploit this by monitoring the public collaborator feed to capture a victim's basic-auth header for a protected folder. With the captured credentials, the attacker can replay the header to gain unauthorized access, enabling them to read, upload, overwrite, and delete files within the protected subtree. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) reflects a network-accessible attack requiring low complexity and user interaction but no privileges, resulting in high impacts to confidentiality, integrity, and availability.
The GitHub security advisory at https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp details the issue and states that it is fixed in version 2.0.0-beta.6. Security practitioners should upgrade to the patched version and consider enabling global basic authentication for deployments relying on the collaborator feed. The vulnerability is associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
Details
- CWE(s)