CRITICAL🇵🇱 Wersja polska

CVE-2026-40884

CVSS 9.8v3.1pub. 2026-04-21upd. 2026-04-27

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6.

🤖 AI Analysis
How it works

The problem occurs when the server is launched with the -b ':pass' parameter (basic-auth syntax with empty username) simultaneously with the -sftp flag. Goshs accepts such configuration, but does not install any password verification mechanism for the SFTP protocol. As a result, any attacker can establish a connection to the SFTP service and browse or download files without needing to provide any credentials.

Impact

An attacker can gain unauthorized access to files shared by the server, leading to violations of data confidentiality, integrity, and availability.

Mitigation & patch

Update goshs to version 2.0.0-beta.6 or newer, where the vulnerability has been fixed. As a temporary workaround, avoid simultaneously using the -b ':pass' and -sftp options or restrict network access to the SFTP service using a firewall.

Who is affected

goshs in versions prior to 2.0.0-beta.6 when the server is launched with the -b ':pass' and -sftp parameters

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Goshs

    APP
    Goshs
    2.0.0< 2.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-40903CRITICAL9.1PL ✓ten sam produkt

Goshs: wyciek tokenu GITHUB_TOKEN przez artefakty workflow (ArtiPACKED)

CVE-2026-40189CRITICAL9.3PL ✓ten sam produkt

Authorization bypass w goshs — ominięcie ACL bez uwierzytelnienia

CVE-2026-35393CRITICAL9.8PL ✓ten sam produkt

Path traversal w Goshs — brak sanityzacji katalogu przy uploadzie plików

CVE-2026-35392CRITICAL9.8PL ✓ten sam produkt

Path traversal w goshs — brak sanityzacji ścieżki przy PUT upload

CVE-2026-35471CRITICAL9.8PL ✓ten sam produkt

Path traversal w Goshs — brak return po walidacji ścieżki w deleteFile()