CVE-2026-40885: goshs's public collaborator feed leaks .goshs ACL credentials and enables unauthorized access

April 14, 2026 (updated April 27, 2026)

goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to .goshs-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including Authorization. An unauthenticated observer can capture a victim’s folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files inside the protected subtree. I reproduced this on v2.0.0-beta.5, the latest supported release as of April 10, 2026.

References

github.com/advisories/GHSA-7h3j-592v-jcrp
github.com/patrickhener/goshs
github.com/patrickhener/goshs/security/advisories/GHSA-7h3j-592v-jcrp
nvd.nist.gov/vuln/detail/CVE-2026-40885

Code Behaviors & Features

Detect and mitigate CVE-2026-40885 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →