CVE-2026-40903

Critical

Published: 21 April 2026

Published

21 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0004 13.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40903 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Goshs Goshs. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-40903 by requiring timely patching of the ArtiPACKED vulnerability in goshs versions prior to 2.0.0-beta.6.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables proactive detection of vulnerable goshs instances through vulnerability scanning for CVEs like CVE-2026-40903.

AU-13 Monitoring for Information Disclosure partial match

detect

Monitors for unauthorized disclosure of sensitive information such as GITHUB_TOKEN leaked via vulnerable goshs workflow artifacts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1528 Steal Application Access Token Credential Access

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing goshs server enables remote unauthenticated exploitation to extract GITHUB_TOKEN from artifacts, directly mapping to T1190 (Exploit Public-Facing Application) and T1528 (Steal Application Access Token).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUB_TOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability…

is fixed in 2.0.0-beta.6.

Deeper analysisAI

CVE-2026-40903 is an ArtiPACKED vulnerability (CWE-829) affecting goshs, a SimpleHTTPServer implementation written in Go. Versions prior to 2.0.0-beta.6 are vulnerable, where the issue enables the leakage of the GITHUB_TOKEN through GitHub Actions workflow artifacts, despite the token not being present in the repository source code. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its network-accessible nature, low attack complexity, and lack of prerequisites for exploitation.

Any unauthenticated attacker with network access to a vulnerable goshs instance can exploit this flaw without user interaction or privileges. Successful exploitation allows the attacker to extract sensitive GITHUB_TOKEN credentials embedded in workflow artifacts, potentially granting unauthorized access to the associated GitHub repository, workflows, or dependent resources for actions like code modification or further privilege escalation.

The GitHub security advisory at https://github.com/patrickhener/goshs/security/advisories/GHSA-hpxj-9fgp-fhhf confirms the vulnerability and states that it is fixed in version 2.0.0-beta.6, recommending immediate upgrades to mitigate the risk of token leakage.