CVE-2026-34581
published 2026-04-02CVE-2026-34581: goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited…
PriorityP345high8.1CVSS 3.1
AVNACLPRNUIRSUCHIHAN
EPSS
0.39%
31.0th percentile
goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has been patched in version 2.0.0-beta.2.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | patrickhener_goshs | >= 1.1.0 | — |
| goshs | goshs | — | — |
| goshs | goshs | >= 1.1.0 < 2.0.0 | 2.0.0 |
| patrickhener | goshs | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
goshs has Auth Bypass via Share Token
osv·2026-04-01
CVE-2026-34581 [HIGH] goshs has Auth Bypass via Share Token
goshs has Auth Bypass via Share Token
### Summary
When using the `Share Token` it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec.
### Details
The `BasicAuthMiddleware` checks for a `?token=` parameter **before** checking credentials. If the token exists in `SharedLinks`, the request passes through with **no auth check at all**. The handler then processes all query parameters — including `?ws` (WebSocket) which has higher priority than `?token`.
```go
// middleware.go:22-30 — token check runs FIRST
token := r.URL.Query().Get("token")
if token != "" {
_, ok := fs.SharedLinks[token]
if ok {
next.ServeHTTP(w, r) // Full auth bypass
return
}
}
// ... normal auth checks never reached
```
A share token is designed for **single-
GHSA
goshs has Auth Bypass via Share Token
ghsa·2026-04-01
CVE-2026-34581 [HIGH] CWE-288 goshs has Auth Bypass via Share Token
goshs has Auth Bypass via Share Token
### Summary
When using the `Share Token` it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec.
### Details
The `BasicAuthMiddleware` checks for a `?token=` parameter **before** checking credentials. If the token exists in `SharedLinks`, the request passes through with **no auth check at all**. The handler then processes all query parameters — including `?ws` (WebSocket) which has higher priority than `?token`.
```go
// middleware.go:22-30 — token check runs FIRST
token := r.URL.Query().Get("token")
if token != "" {
_, ok := fs.SharedLinks[token]
if ok {
next.ServeHTTP(w, r) // Full auth bypass
return
}
}
// ... normal auth checks never reached
```
A share token is designed for **single-
No detection rules found.
No public exploits indexed.
2026-04-02
Published