Plataforma
go
Componente
goshs
Corregido en
2.0.1
2.0.0-beta.6
CVE-2026-40883 describes a cross-site request forgery (CSRF) vulnerability discovered in goshs, a Go-based server. This flaw allows an attacker to induce authenticated users to perform unintended actions, such as deleting files or creating directories, without their knowledge. The vulnerability affects versions 2.0.0-beta.4 through 2.0.0-beta.5, and a fix is available in version 2.0.0-beta.6.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the goshs server's file system. An attacker could leverage this to delete critical files, create malicious directories, or otherwise disrupt the server's operation. Because goshs is often used in automation and configuration management scenarios, successful exploitation could lead to broader system compromise. The lack of CSRF protection on state-changing GET routes, combined with reliance on HTTP basic authentication, makes this vulnerability particularly concerning. This is similar to other CSRF vulnerabilities where an attacker can trick a user into performing actions they did not intend to.
CVE-2026-40883 was publicly disclosed on 2026-04-21. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature makes it relatively easy to exploit, increasing the likelihood of future exploitation attempts. The vulnerability's simplicity and the widespread use of goshs in various environments warrant careful attention and prompt remediation.
Organizations and individuals using goshs version 2.0.0-beta.4 through 2.0.0-beta.5, particularly those deploying goshs in automated environments or as part of configuration management systems, are at significant risk. Shared hosting environments where multiple users share a goshs instance are also particularly vulnerable.
• linux / server:
ps aux | grep goshs• generic web:
curl -I https://your-goshs-server.com/?mkdir
curl -I https://your-goshs-server.com/?deleteCheck access logs for unusual GET requests to / with parameters like ?mkdir or ?delete originating from unexpected IP addresses.
disclosure
Estado del Exploit
EPSS
0.02% (4% percentil)
CISA SSVC
The recommended mitigation for CVE-2026-40883 is to immediately upgrade to goshs version 2.0.0-beta.6 or later, which includes the necessary CSRF protections. If upgrading is not immediately feasible, consider implementing a reverse proxy or web application firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, restrict access to the vulnerable GET routes (?mkdir, ?delete) to trusted networks or users. While not a complete solution, enforcing stricter HTTP headers (e.g., Origin and Referer validation) can provide an additional layer of defense. After upgrading, confirm the fix by attempting to trigger the vulnerable actions from a different browser session or incognito window to ensure CSRF protection is active.
Actualice goshs a la versión 2.0.0-beta.6 o superior para mitigar la vulnerabilidad de CSRF. Esta versión implementa validaciones adecuadas para prevenir acciones destructivas a través de rutas GET que modifican el estado.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-40883 is a cross-site request forgery (CSRF) vulnerability affecting goshs versions 2.0.0-beta.4 through 2.0.0-beta.5, allowing attackers to trigger destructive actions.
You are affected if you are running goshs version 2.0.0-beta.4 or 2.0.0-beta.5. Check your version and upgrade immediately.
Upgrade to goshs version 2.0.0-beta.6 or later to resolve the CSRF vulnerability. Consider WAF rules as a temporary mitigation.
There is currently no confirmed active exploitation, but the vulnerability's simplicity suggests potential for future attacks.
Refer to the goshs project's official communication channels and release notes for the advisory related to CVE-2026-40883.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.