CVE-2026-42091
Description
goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser — bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/patrickhener/goshs/v2Go | < 2.0.2 | 2.0.2 |
github.com/patrickhener/goshsGo | <= 1.1.4 | — |
Affected products
2Patches
10e715b94e10cFix security issue https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm
2 files changed · +10 −4
httpserver/handler.go+7 −4 modified@@ -101,11 +101,14 @@ func (fs *FileServer) doFile(file *os.File, w http.ResponseWriter, req *http.Req } // checkCSRF validates the X-CSRF-Token header for mutating actions. -// The token is always generated and always embedded in the page, so legitimate -// browser users will always have it. File-based .goshs auth creates browser-cached -// Basic Auth sessions just like global -b auth does, so we enforce this check -// unconditionally rather than only when global auth is configured. +// When basic auth is configured, the BasicAuthMiddleware already gates every +// request (browsers cannot attach credentials to CORS preflights, so the +// preflight fails and the actual request is never sent). CSRF is therefore +// only enforced in open, unauthenticated deployments. func (fs *FileServer) checkCSRF(w http.ResponseWriter, req *http.Request) bool { + if fs.User != "" || fs.Pass != "" { + return true + } if req.Header.Get("X-CSRF-Token") != fs.CSRFToken { http.Error(w, "Forbidden", http.StatusForbidden) return false
httpserver/updown.go+3 −0 modified@@ -17,6 +17,9 @@ import ( // put handles the PUT request to upload files func (fs *FileServer) put(w http.ResponseWriter, req *http.Request) { + if !fs.checkCSRF(w, req) { + return + } if fs.ReadOnly { fs.handleError(w, req, fmt.Errorf("%s", "Upload not allowed due to 'read only' option"), http.StatusForbidden) return
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32nvdPatchWEB
- github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvmnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-rhf7-wvw3-vjvmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42091ghsaADVISORY
- github.com/patrickhener/goshs/releases/tag/v2.0.2nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.