Platform
go
Component
goshs
Fixed in
2.0.1
2.0.0-beta.6
CVE-2026-40883 describes a cross-site request forgery (CSRF) vulnerability discovered in goshs, a Go-based server. This flaw allows an attacker to induce authenticated users to perform unintended actions, such as deleting files or creating directories, without their knowledge. The vulnerability affects versions 2.0.0-beta.4 through 2.0.0-beta.5, and a fix is available in version 2.0.0-beta.6.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the goshs server's file system. An attacker could leverage this to delete critical files, create malicious directories, or otherwise disrupt the server's operation. Because goshs is often used in automation and configuration management scenarios, successful exploitation could lead to broader system compromise. The lack of CSRF protection on state-changing GET routes, combined with reliance on HTTP basic authentication, makes this vulnerability particularly concerning. This is similar to other CSRF vulnerabilities where an attacker can trick a user into performing actions they did not intend to.
CVE-2026-40883 was publicly disclosed on 2026-04-21. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature makes it relatively easy to exploit, increasing the likelihood of future exploitation attempts. The vulnerability's simplicity and the widespread use of goshs in various environments warrant careful attention and prompt remediation.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-40883 is to immediately upgrade to goshs version 2.0.0-beta.6 or later, which includes the necessary CSRF protections. If upgrading is not immediately feasible, consider implementing a reverse proxy or web application firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, restrict access to the vulnerable GET routes (?mkdir, ?delete) to trusted networks or users. While not a complete solution, enforcing stricter HTTP headers (e.g., Origin and Referer validation) can provide an additional layer of defense. After upgrading, confirm the fix by attempting to trigger the vulnerable actions from a different browser session or incognito window to ensure CSRF protection is active.
Update goshs to version 2.0.0-beta.6 or higher to mitigate the CSRF vulnerability. This version implements proper validations to prevent destructive actions through state-changing GET routes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40883 is a cross-site request forgery (CSRF) vulnerability affecting goshs versions 2.0.0-beta.4 through 2.0.0-beta.5, allowing attackers to trigger destructive actions.
You are affected if you are running goshs version 2.0.0-beta.4 or 2.0.0-beta.5. Check your version and upgrade immediately.
Upgrade to goshs version 2.0.0-beta.6 or later to resolve the CSRF vulnerability. Consider WAF rules as a temporary mitigation.
There is currently no confirmed active exploitation, but the vulnerability's simplicity suggests potential for future attacks.
Refer to the goshs project's official communication channels and release notes for the advisory related to CVE-2026-40883.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.