goshs version 2.0.0-beta.4 through 2.0.0-beta.5 leaks file‑based access‑control list credentials via its public collaborator feed. The server publishes raw request headers—including Basic Authorization headers for protected folders—before enforcing authentication on incoming requests. An attacker who observes the feed can capture a victim’s folder‑specific Authorization header and replay it to read, upload, overwrite, or delete files within the protected subtree. The weakness is a classic information‑disclosure flaw (CWE‑200) that also enables unauthorized access to confidential data and operations.

The vulnerability affects the open‑source SimpleHTTPServer “goshs” produced by patrickhener. The issue is present in releases 2.0.0‑beta.4 to 2.0.0‑beta.5, and only occurs when the server is run without global basic authentication. The fix is delivered in 2.0.0‑beta.6. Organizations running any affected version should identify installations and confirm they are not exposed to public collaborator feeds.

The CVSS score of 7.7 indicates a high severity. EPSS data is not available, so the probability of exploitation cannot be quantified, but the vulnerability is listed in no KEV catalog. An unauthenticated observer that can reach the public collaborator feed and the protected folders (typically via the same network or the Internet if the feed is exposed) can easily capture the Authorization header. Because the credential leakage occurs in a public channel, the attack vector is likely remote over the network. The exploitation requires no special privileges beyond access to the feed, making this a straightforward privilege‑escalation scenario for anyone who can observe the traffic.