CVE-2026-40189

CRITICAL

goshs has a file-based ACL authorization bypass in goshs state-changing routes

Title source: cna

Description

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.

References (3)

Scores

CVSS v3 9.8
EPSS 0.0014
EPSS Percentile 33.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-862
Status published
Products (4)
goshs/goshs 2.0.0 beta1 (3 CPE variants)
goshs/goshs < 2.0.0
patrickhener/goshs 0Go
patrickhener/goshs < 2.0.0-beta.4
Published Apr 10, 2026
Tracked Since Apr 11, 2026