CVE-2026-40189
Published: 10 April 2026
Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can…
more
upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for all logical access to system resources, directly addressing the failure to apply ACL/basic-auth checks to state-changing routes like PUT, POST/upload, mkdir, and delete.
Implements a reference monitor mediating all access attempts between subjects and objects, ensuring consistent enforcement of per-folder authorizations across all goshs server operations including those bypassing checks.
Requires timely flaw remediation through upgrade to goshs 2.0.0-beta.4, which fixes the authorization bypass allowing unauthenticated file modifications and policy deletion.
Security SummaryAI
CVE-2026-40189 is a critical authorization bypass vulnerability (CWE-862) in goshs, a SimpleHTTPServer implementation written in Go. In versions prior to 2.0.0-beta.4, the server enforces per-folder .goshs ACL/basic-auth mechanisms for directory listings and file reads, but fails to apply the same checks to state-changing routes. This allows unauthorized modifications within protected directories, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated remote attacker can exploit this vulnerability by sending requests such as PUT to upload files, multipart POST to /upload, ?mkdir to create directories, or ?delete to remove files, all within .goshs-protected directories. By specifically deleting the .goshs file itself, the attacker can eliminate the folder's authentication policy, gaining unauthorized access to previously protected content. This compromises confidentiality, integrity, and availability of served files.
The vulnerability is fixed in goshs version 2.0.0-beta.4. Security practitioners should upgrade to this version or later. Relevant resources include the fixing commit at https://github.com/patrickhener/goshs/commit/f212c4f4a126556bab008f79758e21a839ef2c0f, the release page at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4, and the GitHub security advisory at https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web server (T1190) for unauthorized file upload (T1105) and deletion (T1070.004) via unprotected HTTP endpoints.