CVE-2026-42503: CWE-1327 Binding to an unrestricted IP address in golang.org/x/tools golang.org/x/tools/gopls
gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.
AI Analysis
Technical Summary
gopls, the Go language server, typically communicates via pipe, but supports -port and -listen flags for debugging. If these flags are used without specifying a host (e.g., using ':8080' or just -port), gopls binds to 0.0.0.0, listening on all network interfaces. This unrestricted binding (CWE-1327) can allow attackers on the same network to connect and execute arbitrary code through gopls. The vulnerability is documented as CVE-2026-42503. There is no CVSS score or vendor remediation information available at this time.
Potential Impact
If exploited, this vulnerability allows a malicious actor on the same network to execute arbitrary code via gopls by connecting to the service bound on all interfaces. This could lead to unauthorized code execution on the affected system. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid using the -listen or -port flags without specifying an explicit host address to prevent gopls from binding to 0.0.0.0. Restrict network access to the host running gopls to trusted users only.
CVE-2026-42503: CWE-1327 Binding to an unrestricted IP address in golang.org/x/tools golang.org/x/tools/gopls
Description
gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
gopls, the Go language server, typically communicates via pipe, but supports -port and -listen flags for debugging. If these flags are used without specifying a host (e.g., using ':8080' or just -port), gopls binds to 0.0.0.0, listening on all network interfaces. This unrestricted binding (CWE-1327) can allow attackers on the same network to connect and execute arbitrary code through gopls. The vulnerability is documented as CVE-2026-42503. There is no CVSS score or vendor remediation information available at this time.
Potential Impact
If exploited, this vulnerability allows a malicious actor on the same network to execute arbitrary code via gopls by connecting to the service bound on all interfaces. This could lead to unauthorized code execution on the affected system. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid using the -listen or -port flags without specifying an explicit host address to prevent gopls from binding to 0.0.0.0. Restrict network access to the host running gopls to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Go
- Date Reserved
- 2026-04-28T00:21:12.792Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fb7191cbff5d86100fd114
Added to database: 5/6/2026, 4:51:29 PM
Last enriched: 5/6/2026, 5:07:23 PM
Last updated: 5/7/2026, 7:40:19 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.