Critical ArtiPACKED Vulnerability in goshs Server Leaks GitHub Tokens

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-829
Critical ArtiPACKED Vulnerability in goshs Server Leaks GitHub Tokens

The National Vulnerability Database has disclosed a critical vulnerability, CVE-2026-40903, impacting goshs, a SimpleHTTPServer written in Go. Prior to version 2.0.0-beta.6, goshs is susceptible to an ArtiPACKED vulnerability. This flaw, rated with a CVSS score of 9.1 (CRITICAL), allows for the leakage of GITHUB_TOKEN values through workflow artifacts.

This is particularly concerning because the GITHUB_TOKEN is not explicitly stored in the repository source code. Attackers exploiting this vulnerability could gain unauthorized access to GitHub repositories and associated resources, potentially leading to code tampering, data exfiltration, or further supply chain attacks. The vulnerability is categorized under CWE-829, indicating an inclusion of unwanted resources in a software package.

Defenders must recognize that even if sensitive tokens are not directly committed to a repo, misconfigurations or vulnerabilities in CI/CD pipelines and build processes can expose them. The fix is available in goshs version 2.0.0-beta.6. Organizations leveraging goshs should prioritize upgrading immediately to mitigate this critical risk.

What This Means For You

  • If your development pipelines use `goshs` as a Go-based SimpleHTTPServer, immediately check your deployed versions. Any instance running prior to 2.0.0-beta.6 is vulnerable to `GITHUB_TOKEN` leakage. Patch to 2.0.0-beta.6 or later, and perform an audit of your GitHub workflow artifacts for any unauthorized `GITHUB_TOKEN` exposure.

Related ATT&CK Techniques

T1119 Automated Collection Collection T1048 Exfiltration Over Alternative Protocol Exfiltration T1537 Transfer Data to Cloud Account Exfiltration

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1537 Defense Evasion

CVE-2026-40903 - goshs Server ArtiPACKED GitHub Token Leakage

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40903 Information Disclosure goshs SimpleHTTPServer versions prior to 2.0.0-beta.6
CVE-2026-40903 Information Disclosure Leakage of GITHUB_TOKEN through workflow artifacts
CVE-2026-40903 Vulnerability Type ArtiPACKED vulnerability

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 21, 2026 at 23:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

HKUDS OpenHarness Default Config Exposes Systems (CVE-2026-6823)

CVE-2026-6823 — HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote...

vulnerabilityCVEhigh-severitycwe-276
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma

Critical AVideo XSS Vulnerability Exposes Admin Settings

CVE-2026-40925 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site...

vulnerabilityCVEhigh-severitycwe-352
/SCW Vulnerability Desk /HIGH /8.3 /⚑ 5 IOCs /⚙ 3 Sigma

Critical RCE in AVideo YPTSocket Plugin: Unauthenticated Account Takeover

CVE-2026-40911 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies...

vulnerabilityCVEcriticalhigh-severitycwe-94
/SCW Vulnerability Desk /CRITICAL /10 /⚑ 2 IOCs /⚙ 3 Sigma