CVE-2026-40189
Received Received - Intake
Authorization Bypass in goshs Allows Unauthenticated File Manipulation

Publication date: 2026-04-10

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40189
EUVD
EUVD-2026-21591
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
goshs goshs 2.0.0
goshs goshs to 2.0.0 (exc)
goshs goshs 2.0.0
goshs goshs 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40189 is a critical authorization bypass vulnerability in goshs, a SimpleHTTPServer written in Go. The server uses per-folder .goshs ACL/basic-auth files to protect directory listings and file reads. However, before version 2.0.0-beta.4, goshs did not enforce these authorization checks on state-changing HTTP routes such as file uploads, directory creation, and file deletion.

This means an unauthenticated attacker could upload files using PUT or multipart POST /upload, create directories with the ?mkdir parameter, and delete files with the ?delete parameter inside directories protected by .goshs ACL files. Critically, the attacker could delete the .goshs ACL file itself, removing the folder's authentication policy and allowing unrestricted access to previously protected content.

This vulnerability results in a complete bypass of confidentiality, integrity, and availability protections for the affected directories.

Impact Analysis

This vulnerability allows remote unauthenticated attackers to perform unauthorized state-changing operations within directories protected by .goshs ACL files.

  • Attackers can upload files using PUT or multipart POST /upload requests.
  • Attackers can create new directories using the ?mkdir query parameter.
  • Attackers can delete files, including the critical .goshs ACL file itself, using the ?delete query parameter.

By deleting the .goshs ACL file, attackers remove the folder's authentication policy, enabling them to access previously protected content without any credentials.

Overall, this leads to a complete compromise of confidentiality, integrity, and availability of the protected data and resources.

Detection Guidance

This vulnerability can be detected by testing whether unauthenticated state-changing HTTP requests are allowed in directories protected by .goshs ACL files. Specifically, you can attempt to perform unauthorized file uploads, directory creation, and file deletions without authentication.

  • Try an unauthenticated PUT request to upload a file to a protected directory.
  • Try an unauthenticated multipart POST request to the /upload endpoint.
  • Attempt to create a directory using the ?mkdir query parameter without authentication.
  • Attempt to delete a file, including the .goshs ACL file itself, using the ?delete query parameter without authentication.

For example, using curl commands:

  • curl -X PUT http://target/protected/path/filename -d 'test content'
  • curl -F 'file=@localfile' http://target/protected/path/upload
  • curl http://target/protected/path/?mkdir=newdir
  • curl http://target/protected/path/?delete=filename

If these requests succeed without authentication, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade goshs to version 2.0.0-beta.4 or later, where the vulnerability is fixed.
  • Ensure that authorization checks are enforced on all state-changing HTTP routes, including PUT, multipart POST /upload, ?mkdir, and ?delete.
  • Protect the .goshs ACL files from deletion, overwriting, or replacement by blocking such operations.
  • Apply patches that implement recursive ACL enforcement and prevent unauthorized modification of .goshs files.

These steps will prevent unauthenticated attackers from bypassing authorization and protect confidentiality, integrity, and availability of the protected directories.

Compliance Impact

This vulnerability results in a critical authorization bypass that affects confidentiality, integrity, and availability of data stored in goshs-protected directories.

Because unauthorized attackers can upload, delete, or modify files and remove access control policies, sensitive data could be exposed or altered without proper authorization.

Such a failure to enforce authorization on state-changing operations can lead to violations of data protection requirements found in common standards and regulations like GDPR and HIPAA, which mandate strict controls over access to and modification of sensitive data.

Therefore, this vulnerability undermines compliance by allowing unauthorized access and modification of protected data, potentially resulting in data breaches and loss of data integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart