CVE-2026-40884
published 2026-04-21CVE-2026-40884: goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.48%
37.7th percentile
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | patrickhener_goshs | 0 – 1.1.4 | — |
| github.com | patrickhener_goshs_v2 | >= 0 < 2.0.0 | 2.0.0 |
| goshs | goshs | < 2.0.0 | 2.0.0 |
| goshs | goshs | — | — |
| patrickhener | goshs | < 2.0.0-beta.6 | 2.0.0-beta.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
patrickhener goshs up to 2.0.0-beta.5 SFTP Service missing authentication (GHSA-c29w-qq4m-2gcv)
vuldb·2026-04-21·CVSS 9.8
CVE-2026-40884 [CRITICAL] patrickhener goshs up to 2.0.0-beta.5 SFTP Service missing authentication (GHSA-c29w-qq4m-2gcv)
A vulnerability was found in patrickhener goshs up to 2.0.0-beta.5 and classified as critical. Impacted is an unknown function of the component SFTP Service. The manipulation results in missing authentication.
This vulnerability is reported as CVE-2026-40884. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
GHSA
goshs has an empty-username SFTP password authentication bypass
ghsa·2026-04-14
CVE-2026-40884 [CRITICAL] CWE-306 goshs has an empty-username SFTP password authentication bypass
goshs has an empty-username SFTP password authentication bypass
### Summary
goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with `-b ':pass'` together with `-sftp`, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. I reproduced this on the latest release `v2.0.0-beta.5`.
### Details
The help text explicitly documents empty usernames as valid authentication input:
- `options/options.go:264-266` says `Use basic authentication (user:pass - user can be empty)`
The SFTP sanity check only requires that either `-b` or `--sftp-keyfile` is present:
```go
if opts.SF
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-21
Published