Description
gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging.
If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. 
As a result, users might inadvertently cause gopls to bind 0.0.0.0.
This can allow a malicious party on the same network to execute code arbitrarily via gopls.
Published: 2026-05-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

gopls, when started with the –listen or –port flag without specifying a host, binds to the address 0.0.0.0. Because this binding exposes the development server on every network interface, an attacker on the same network can connect to the gopls instance and send arbitrary commands, allowing execution of code. This flaw is a classic example of CWE‑1327, where a service is exposed to unintended parties, resulting in full compromise of confidentiality, integrity, and availability.

Affected Systems

golang.org/x/tools:gopls is the affected component. All current releases that support –listen or –port without a host parameter are vulnerable; vendor version details are not provided.

Risk and Exploitability

The vulnerability can be leveraged when a user runs gopls in debug mode on a shared or otherwise untrusted network. No public exploit has been reported and the EPSS score is currently unavailable, but the absence of a restriction on the bind address means the attack is straightforward once the conditions are met. The issue is not listed in the KEV catalog, yet the potential for arbitrary code execution warrants care. The CVSS score of 8.8 indicates a high severity level.

Generated by OpenCVE AI on May 6, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Avoid using the –listen or –port flags without specifying a host when running gopls in production or shared environments.
  • If debugging is required, explicitly set a local or private bind address rather than relying on default behavior.
  • Ensure gopls is updated to a patched version as soon as it becomes available.

Generated by OpenCVE AI on May 6, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0.  As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.
Title Accidental binding to INADDR_ANY might lead to RCE in golang.org/x/tools/gopls
Weaknesses CWE-1327
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-07T03:55:49.730Z

Reserved: 2026-04-28T00:21:12.792Z

Link: CVE-2026-42503

cve-icon Vulnrichment

Updated: 2026-05-06T17:08:25.999Z

cve-icon NVD

Status : Received

Published: 2026-05-06T17:16:23.417

Modified: 2026-05-06T17:16:23.417

Link: CVE-2026-42503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T18:30:09Z

Weaknesses