File Access Vulnerability in goshs SimpleHTTPServer by Patrick Hener
CVE-2026-40885

7.7HIGH

Key Information:

Vendor: Patrickhener
Status: Goshs
Vendor: CVE Published:; 21 April 2026

🔔 Create Patrickhener Vulnerability Alert

What is CVE-2026-40885?

The goshs SimpleHTTPServer, versions 2.0.0-beta.4 to 2.0.0-beta.5, exposes a critical file access vulnerability. When deployed without global basic authentication, the server leaks file-based Access Control List (ACL) credentials through its public collaborator feed. Unauthorized requests to protected folders are logged before authentication, allowing an unauthenticated user to capture sensitive headers. This can lead to unauthorized reading, uploading, overwriting, and deleting of files within the safeguarded directory. The vulnerability has been addressed in version 2.0.0-beta.6.

Affected Version(s)

goshs >= 2.0.0-beta.4, < 2.0.0-beta.6

References

https://github.com/patrickhener/goshs/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40885 Data

JSON