CVE-2026-40885

Name of the Vulnerable Software and Affected Versions goshs versions 2.0.0-beta.4 through 2.0.0-beta.5

Description When deployed without global basic authentication, the server leaks file-based Access Control List (ACL) credentials through its public collaborator feed. Requests to folders protected by .goshs are logged before authorization is enforced. Consequently, the collaborator websocket broadcasts raw request headers, including the Authorization variable, to all connected clients. An unauthenticated observer can capture a victim's folder-specific basic-auth header and replay it to read, upload, overwrite, and delete files within the protected subtree.

Recommendations Update to version 2.0.0-beta.6. As a temporary workaround, restrict access to the collaborator websocket and panel using authentication boundaries.