CVE-2026-40883: goshs has CSRF in state-changing GET routes enables authenticated file deletion and directory creation

April 14, 2026 (updated April 27, 2026)

goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as ?delete and ?mkdir because goshs relies on HTTP basic auth alone and performs no CSRF, Origin, or Referer validation for those routes. I reproduced this on v2.0.0-beta.5.

References

github.com/advisories/GHSA-jrq5-hg6x-j6g3
github.com/patrickhener/goshs
github.com/patrickhener/goshs/security/advisories/GHSA-jrq5-hg6x-j6g3
nvd.nist.gov/vuln/detail/CVE-2026-40883

Code Behaviors & Features

Detect and mitigate CVE-2026-40883 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →