CVE-2026-42091 Overview
CVE-2026-42091 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] in goshs, a SimpleHTTPServer written in Go. The flaw exists in versions prior to 2.0.2, where the PUT upload handler in httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the earlier CVE-2026-40883 fix. Combined with an unconditional Access-Control-Allow-Origin: * header on the OPTIONS preflight handler in httpserver/server.go, any malicious website can write arbitrary files to a goshs instance through a victim's browser. This bypasses network isolation boundaries such as localhost and internal networks. The issue has been patched in version 2.0.2.
Critical Impact
Attackers can write arbitrary files to a goshs instance reachable by the victim's browser, including instances bound to localhost or internal-only network interfaces, enabling file planting and potential code execution paths depending on how uploaded files are handled.
Affected Products
- goshs versions prior to 2.0.2
- goshs PUT upload handler (httpserver/updown.go)
- goshs OPTIONS preflight handler (httpserver/server.go)
Discovery Timeline
- 2026-05-04 - CVE CVE-2026-42091 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-42091
Vulnerability Analysis
The vulnerability stems from inconsistent CSRF protection across upload handlers in goshs. After CVE-2026-40883 was remediated, the project added X-CSRF-Token header validation to the POST upload path. The PUT handler was overlooked and continued to accept mutating requests without verifying the token. Because the OPTIONS preflight handler returns Access-Control-Allow-Origin: * unconditionally, browsers permit cross-origin PUT requests to succeed against any goshs instance the victim can reach.
This combination defeats the same-origin assumptions operators rely on when running goshs on localhost or internal addresses. A user browsing an attacker-controlled site triggers PUT requests from their own browser into the trusted network segment, and the goshs server accepts the writes.
Root Cause
The root cause is missing authorization enforcement [CWE-352] on a state-changing HTTP method. The put function in httpserver/updown.go did not invoke checkCSRF before processing uploads, while the POST equivalent did. The permissive CORS preflight response further removed the browser-side barrier that would normally block cross-origin writes.
Attack Vector
An attacker hosts a malicious page that issues a cross-origin PUT request to a known goshs URL such as http://127.0.0.1:8000/loot.txt. The victim only needs to load the attacker's page. The browser sends the OPTIONS preflight, receives the wildcard CORS allowance, and proceeds with the PUT upload. The goshs instance writes the attacker-supplied file to its working directory.
// Security patch in httpserver/updown.go (v2.0.2)
// put handles the PUT request to upload files
func (fs *FileServer) put(w http.ResponseWriter, req *http.Request) {
if !fs.checkCSRF(w, req) {
return
}
if fs.ReadOnly {
fs.handleError(w, req, fmt.Errorf("%s", "Upload not allowed due to 'read only' option"), http.StatusForbidden)
return
}
// ...
}
// Source: https://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32
The patch adds the same checkCSRF gate the POST handler already used. The companion change in httpserver/handler.go scopes CSRF enforcement to unauthenticated deployments, since basic auth credentials cannot be attached to CORS preflights:
// httpserver/handler.go (v2.0.2)
func (fs *FileServer) checkCSRF(w http.ResponseWriter, req *http.Request) bool {
if fs.User != "" || fs.Pass != "" {
return true
}
if req.Header.Get("X-CSRF-Token") != fs.CSRFToken {
http.Error(w, "Forbidden", http.StatusForbidden)
return false
}
return true
}
// Source: https://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32
Detection Methods for CVE-2026-42091
Indicators of Compromise
- Unexpected files appearing in goshs working directories that operators did not upload directly.
- HTTP PUT requests to goshs instances originating from browsers with Origin or Referer headers pointing to external, untrusted websites.
- OPTIONS preflight requests to goshs endpoints followed by successful PUT uploads from non-CLI user agents.
Detection Strategies
- Monitor goshs access logs for PUT method requests, particularly when paired with browser User-Agent strings rather than tooling like curl or wget.
- Alert on cross-origin requests where the Origin header does not match the goshs host or local loopback.
- Inventory running goshs processes on workstations and developer hosts to identify exposed instances bound to localhost or internal interfaces.
Monitoring Recommendations
- Track outbound proxy or DNS logs for connections to known malicious sites that may serve cross-origin upload payloads.
- Watch filesystem changes in directories served by goshs using endpoint file integrity monitoring.
- Capture HTTP request metadata (method, origin, path) on hosts running goshs to support post-incident review.
How to Mitigate CVE-2026-42091
Immediate Actions Required
- Upgrade goshs to version 2.0.2 or later on every host where it is installed or invoked ad hoc.
- Audit existing goshs working directories for unexpected files written during the exposure window.
- Stop running goshs instances that are not actively in use, particularly long-lived processes bound to localhost.
Patch Information
The fix is published in goshs Release v2.0.2. The code change is documented in GitHub commit 0e715b9 and the GHSA-rhf7-wvw3-vjvm advisory. The patch enforces checkCSRF on the PUT handler and scopes CSRF validation appropriately when basic authentication is configured.
Workarounds
- Run goshs with the -ro (read-only) flag when upload functionality is not required.
- Configure basic authentication using -b user:pass so the browser cannot complete CORS preflights without credentials.
- Bind goshs to a specific interface and use host firewall rules to restrict which clients can reach the listening port.
# Configuration example: read-only mode with basic auth on loopback
goshs -i 127.0.0.1 -p 8000 -ro -b admin:$(openssl rand -hex 16)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
