goshs Flaws Enable Auth Bypass and GitHub Token Leakage
Two high-severity vulnerabilities were disclosed in goshs, a Go-based SimpleHTTPServer, affecting multiple pre-release and stable versions. CVE-2026-34581 impacts versions 1.1.0 through before 2.0.0-beta.2 and allows attackers to abuse the Share Token feature to bypass download restrictions. The flaw can expose broader goshs functionality beyond intended file access controls and may lead to code execution. The issue is classified as CWE-288 and was fixed in 2.0.0-beta.2.
A second flaw, CVE-2026-40903, affects goshs versions before 2.0.0-beta.6 and is described as an ArtiPACKED vulnerability that can leak GITHUB_TOKEN values through GitHub Actions workflow artifacts, even when the token does not appear in repository source code. The issue is mapped to CWE-829 and carries high confidentiality and integrity impact, extending concern from application access control to CI/CD credential exposure. The vendor lists 2.0.0-beta.6 as the fix version, and a GitHub security advisory has been published.
Timeline
Apr 21, 2026
goshs GitHub Actions token leak flaw disclosed and fixed in 2.0.0-beta.6
On 2026-04-21, CVE-2026-40903 was published for goshs, describing an ArtiPACKED vulnerability that could expose GITHUB_TOKEN values through workflow artifacts in versions before 2.0.0-beta.6. The vendor indicated the issue was remediated in goshs version 2.0.0-beta.6 and referenced a GitHub security advisory.
Apr 2, 2026
goshs auth bypass vulnerability disclosed and patched in 2.0.0-beta.2
On 2026-04-02, a security advisory disclosed CVE-2026-34581 affecting goshs versions 1.1.0 through before 2.0.0-beta.2. The flaw lets attackers abuse the Share Token feature to bypass download restrictions and potentially gain broader functionality including code execution; the issue was fixed in version 2.0.0-beta.2.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Path Traversal Flaws in goshs Upload Handlers Allow Remote File Write
Two high-severity vulnerabilities, **CVE-2026-35392** and **CVE-2026-35393**, were disclosed in **goshs**, a Go-based SimpleHTTPServer, affecting versions prior to **`2.0.0-beta.3`**. Both issues are classified as **CWE-22 path traversal** flaws that arise from missing pathname sanitization in file upload functionality: **PUT** upload handling in `httpserver/updown.go` and **POST multipart** upload directory processing. The weaknesses could allow remote, unauthenticated attackers to write files outside intended directories. Both CVEs carry the same **CVSS v3** vector, **`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`**, indicating high impact to confidentiality, integrity, and availability. The vulnerabilities were addressed in **`2.0.0-beta.3`**, and related GitHub security advisories were published alongside the fixes. Organizations using goshs for file upload workflows should prioritize upgrading and review exposed instances for unauthorized file placement or tampering.
3 weeks ago
FastGPT flaws enable GitHub Actions code execution and NoSQL auth bypass
FastGPT, an AI agent building platform, was disclosed with multiple high-severity vulnerabilities affecting both its application and development pipeline. **CVE-2026-33075** impacts versions `4.14.8.3` and earlier and stems from the `fastgpt-preview-image.yml` GitHub Actions workflow using `pull_request_target` while checking out untrusted fork code. The flaw allows external contributors to achieve arbitrary code execution in GitHub Actions, exfiltrate secrets, and potentially trigger a supply-chain compromise by building and pushing attacker-controlled container images to the production registry. At disclosure, no patch was available for that issue; GitHub tracked it as `GHSA-xfx8-w35j-485c`. Two additional flaws, **CVE-2026-40351** and **CVE-2026-40352**, affect FastGPT versions prior to `4.14.9.5` and were fixed in that release. Both are **NoSQL injection** bugs caused by missing runtime validation in password-handling logic. The first lets an unauthenticated attacker bypass login checks by supplying MongoDB operators such as a password object matching any value, enabling login as arbitrary users including the root administrator. The second lets an authenticated low-privileged user bypass old-password verification in the password-change endpoint, enabling unauthorized password resets and possible account takeover, with broader impact if combined with ID manipulation.
2 weeks ago
GitHub `Kernel#send()` Flaw Exposed Secrets and Enabled GHES RCE Path
A vulnerability tracked as **`CVE-2024-0200`** allowed attackers with organization owner privileges to abuse an unsafe Ruby `Kernel#send()` call in GitHub’s organization repository settings flow and invoke unintended zero-argument methods on `Repository` objects. Researchers showed the bug could be used to trigger `Repository::GitDependency#nw_fsck()` and leak roughly **2 MB of environment variables** from a production GitHub.com container, exposing access keys, secrets, and internal configuration because spawned git processes inherited the parent environment. The issue affected **GitHub.com** and **GitHub Enterprise Server (GHES)** instances with GitHub Actions enabled, but the impact was more severe on GHES. STAR Labs reported that leaked variables on GHES could include `ENTERPRISE_SESSION_SECRET` and other Marshal-related secrets, which could be chained with forged Rails session cookies and an unsafe `Marshal.load` path to achieve **remote code execution**. GitHub hotfixed GitHub.com on December 26, 2023, and later released a patch and advisory, while recommended mitigations included allowlisting the `rid_key` parameter, reducing environment variables passed to git processes, rotating exposed secrets, and monitoring `repository_items` requests for abnormal `rid_key` values.
2 weeks ago