CVE-2026-40876
Received Received - Intake
Path Traversal in goshs SFTP Allows Filesystem Escape

Publication date: 2026-04-21

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40876
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
goshs goshs 2.0.0
goshs goshs to 2.0.0 (exc)
goshs goshs 2.0.0
goshs goshs 2.0.0
goshs goshs 2.0.0
goshs goshs 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an authenticated SFTP user to escape the configured root directory and access files outside the intended jail, leading to unauthorized disclosure, modification, creation, or deletion of files on the server filesystem.

Such unauthorized access and potential data exposure can compromise the confidentiality, integrity, and availability of sensitive data, which are core requirements in compliance standards like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could result in violations of these regulations due to improper protection of personal or sensitive data.


Can you explain this vulnerability to me?

CVE-2026-40876 is a vulnerability in the goshs SimpleHTTPServer's SFTP component that allows an authenticated SFTP user to escape the intended restricted directory (SFTP root). This happens because the server uses a flawed prefix-based path validation method that only checks if a requested path starts with the root directory string, rather than verifying if the path truly resides within that directory boundary.

Due to this, paths that share the same prefix but are outside the root directory (e.g., /tmp/goshsroot_evil when the root is /tmp/goshsroot) are incorrectly accepted. This allows the user to read, write, rename, or delete files outside the configured SFTP root, breaking the intended jail and exposing or modifying unrelated server files.


How can this vulnerability impact me? :

This vulnerability can have serious impacts because it allows an authenticated SFTP user to bypass directory restrictions and access files outside the intended SFTP root directory.

  • Unauthorized disclosure of sensitive files outside the SFTP root.
  • Modification or deletion of files outside the restricted directory, potentially compromising data integrity.
  • Creation of unauthorized files in arbitrary locations on the server.

Overall, this can compromise the confidentiality, integrity, and availability of the server filesystem depending on the permissions and accessible paths.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to access filesystem paths outside the configured SFTP root directory using an authenticated SFTP user. Specifically, you can try to list, read, or write files in sibling directories that share a prefix with the configured root but are outside the intended jail.

For example, if the SFTP root is configured as /tmp/goshsroot, you can test access to /tmp/goshsroot_evil or /tmp/goshsroot_owned directories.

Suggested commands to detect the vulnerability include SFTP commands to list and manipulate files outside the root, such as:

  • sftp> ls /tmp/goshsroot_evil
  • sftp> get /tmp/goshsroot_evil/secret.txt
  • sftp> put pwned.txt /tmp/goshsroot_owned/pwned.txt
  • sftp> cat /tmp/goshsroot_owned/pwned.txt

These commands demonstrate listing, downloading, uploading, and verifying files outside the configured root, confirming the root escape vulnerability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, upgrade the goshs SFTP server to version 2.0.0-beta.6 or later, where the vulnerability is fixed.

The fix replaces the unsafe raw string prefix path validation with proper directory-boundary checks that ensure file operations are confined within the configured SFTP root.

If upgrading is not immediately possible, consider restricting authenticated SFTP user access or monitoring for suspicious file operations outside the intended root directory.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart