Compliance Impact

This vulnerability allows unauthenticated remote attackers to bypass SFTP password authentication and access files without authorization. Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards that require strict access controls and authentication mechanisms.

Specifically, regulations like GDPR and HIPAA mandate the protection of personal and sensitive information through proper authentication and access controls. The authentication bypass in goshs could result in unauthorized disclosure, modification, or deletion of protected data, thereby compromising confidentiality, integrity, and availability.

Therefore, organizations using vulnerable versions of goshs may fail to comply with these standards until the vulnerability is remediated.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-40884 is a critical authentication bypass vulnerability in the Go-based SFTP server implementation called goshs, affecting versions up to v2.0.0-beta.5.

The issue occurs when the server is started using the documented empty-username basic authentication syntax with the command-line option '-b ':pass'' combined with the '-sftp' flag.

During startup, goshs parses the '-b' option by splitting on the colon, resulting in an empty username and a non-empty password. The server installs a password authentication handler only if both username and password are non-empty. Because the username is empty, no password handler is installed.

As a result, the SFTP server accepts connections without enforcing any password authentication, allowing unauthenticated attackers to connect and access files.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated remote attackers to bypass SFTP password authentication entirely.

Attackers can connect to the SFTP service without providing any credentials and perform unauthorized file operations such as reading, uploading, renaming, or deleting files within the configured SFTP root directory, depending on permissions.

The severity is critical with a CVSS v3.1 base score of 9.8, indicating high impact on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the goshs server is running with the vulnerable configuration where the -b option uses an empty username with a password (e.g., '-b ":pass"') combined with the -sftp flag.

A practical detection method is to attempt to connect to the SFTP service without providing any authentication credentials and verify if access is granted.

For example, if the server is running on port 2223, you can try connecting using an SFTP client without a password:

• sftp -P 2223 user@hostname

If the connection succeeds and allows file operations without authentication, the server is vulnerable.

Additionally, reviewing the server startup command or configuration for the presence of '-b ":pass"' with the '-sftp' flag indicates the vulnerable setup.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Avoid starting the goshs server with the '-b ":pass"' option when using the '-sftp' flag.
• Upgrade goshs to version 2.0.0-beta.6 or later, where this vulnerability is fixed.
• If upgrading is not immediately possible, configure the server to use a non-empty username with a password for basic authentication to ensure the password handler is installed.
• Review and restrict network access to the SFTP service to trusted hosts until the vulnerability is remediated.

Useful 0 Not Useful 0