CVE-2026-40189
published 2026-04-10CVE-2026-40189: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.65%
46.6th percentile
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | patrickhener_goshs | 0 – 1.1.4 | — |
| goshs | goshs | < 2.0.0 | 2.0.0 |
| goshs | goshs | — | — |
| patrickhener | goshs | < 2.0.0-beta.4 | 2.0.0-beta.4 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
goshs has a file-based ACL authorization bypass in goshs state-changing routes
ghsa·2026-04-10
CVE-2026-40189 [CRITICAL] CWE-862 goshs has a file-based ACL authorization bypass in goshs state-changing routes
goshs has a file-based ACL authorization bypass in goshs state-changing routes
### Summary
goshs enforces the documented per-folder `.goshs` ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with `PUT`, upload files with multipart `POST /upload`, create directories with `?mkdir`, and delete files with `?delete` inside a `.goshs`-protected directory. By deleting the `.goshs` file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability.
### Details
The project README explicitly documen
VulDB
patrickhener goshs up to 2.0.0-beta.3 ACL/basic-auth authorization (GHSA-wvhv-qcqf-f3cx)
vuldb·2026-04-10·CVSS 9.3
CVE-2026-40189 [CRITICAL] patrickhener goshs up to 2.0.0-beta.3 ACL/basic-auth authorization (GHSA-wvhv-qcqf-f3cx)
A vulnerability labeled as critical has been found in patrickhener goshs up to 2.0.0-beta.3. This impacts an unknown function of the file ACL/basic-auth. Executing a manipulation can lead to missing authorization.
This vulnerability is handled as CVE-2026-40189. The attack can be executed remotely. There is not any exploit available.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/patrickhener/goshs/commit/f212c4f4a126556bab008f79758e21a839ef2c0fhttps://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cxhttps://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx
2026-04-10
Published