Cyber Resilience

CVE-2026-40903

Critical

Published: 21 April 2026

Published
21 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0024 15.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40903 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Goshs Goshs. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40903 is an ArtiPACKED vulnerability (CWE-829) affecting goshs, a SimpleHTTPServer implementation written in Go. Versions prior to 2.0.0-beta.6 are vulnerable, where the issue enables the leakage of the GITHUB_TOKEN through GitHub Actions workflow artifacts, despite the token not being present in the repository source code. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its network-accessible nature, low attack complexity, and lack of prerequisites for exploitation.

Any unauthenticated attacker with network access to a vulnerable goshs instance can exploit this flaw without user interaction or privileges. Successful exploitation allows the attacker to extract sensitive GITHUB_TOKEN credentials embedded in workflow artifacts, potentially granting unauthorized access to the associated GitHub repository, workflows, or dependent resources for actions like code modification or further privilege escalation.

The GitHub security advisory at https://github.com/patrickhener/goshs/security/advisories/GHSA-hpxj-9fgp-fhhf confirms the vulnerability and states that it is fixed in version 2.0.0-beta.6, recommending immediate upgrades to mitigate the risk of token leakage.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability…

more

is fixed in 2.0.0-beta.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Vulnerability in public-facing goshs server enables remote unauthenticated exploitation to extract GITHUB_TOKEN from artifacts, directly mapping to T1190 (Exploit Public-Facing Application) and T1528 (Steal Application Access Token).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40884Same product: Goshs Goshs
CVE-2026-40885Same product: Goshs Goshs
CVE-2026-40883Same product: Goshs Goshs
CVE-2026-34581Same product: Goshs Goshs
CVE-2026-40189Same product: Goshs Goshs
CVE-2026-40876Same product: Goshs Goshs
CVE-2026-40188Same product: Goshs Goshs
CVE-2025-62726Shared CWE-829
CVE-2020-36905Shared CWE-829
CVE-2025-68924Shared CWE-829

Affected Assets

goshs
goshs
2.0.0 · ≤ 2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-40903 by requiring timely patching of the ArtiPACKED vulnerability in goshs versions prior to 2.0.0-beta.6.

detect

Enables proactive detection of vulnerable goshs instances through vulnerability scanning for CVEs like CVE-2026-40903.

detect

Monitors for unauthorized disclosure of sensitive information such as GITHUB_TOKEN leaked via vulnerable goshs workflow artifacts.

References