CVE-2026-35471 Overview
CVE-2026-35471 is a path traversal vulnerability in goshs, a SimpleHTTPServer written in Go. The flaw exists in the tdeleteFile() function, which performs a path traversal validation check but fails to return after detecting a malicious path. Execution continues past the check, allowing the unsafe operation to proceed. Affected versions include goshs 2.0.0-beta1 and 2.0.0-beta2. The maintainer fixed the issue in 2.0.0-beta.3. The weakness is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Unauthenticated remote attackers can delete files outside the served directory, leading to data loss, service disruption, and potential follow-on compromise.
Affected Products
- goshs versions prior to 2.0.0-beta.3
- goshs 2.0.0-beta1
- goshs 2.0.0-beta2
Discovery Timeline
- 2026-04-06 - CVE-2026-35471 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35471
Vulnerability Analysis
The vulnerability lives in the tdeleteFile() handler of goshs. The function inspects the incoming file path for traversal sequences such as ../ to confirm the request stays within the intended directory. When the check identifies a malicious path, the code logs or signals the violation but does not return or abort execution. The function then proceeds to the file deletion routine using the attacker-controlled path. An unauthenticated network client can issue a crafted delete request targeting files outside the server root. Successful exploitation removes arbitrary files readable to the goshs process, breaking application integrity and availability.
Root Cause
The defect is a classic missing control-flow statement. The path traversal validator detects the unsafe input but lacks a return (or equivalent early-exit) after producing the error condition. Validation becomes advisory rather than enforcing, and downstream file operations execute on untrusted input.
Attack Vector
Exploitation requires only network access to a running goshs instance with the delete capability enabled. No authentication, privileges, or user interaction are needed. An attacker sends an HTTP request to the delete endpoint with a path containing traversal sequences pointing outside the served directory. Because goshs is commonly used during penetration tests, transfer staging, and ad hoc file sharing, exposed instances on internal or internet-facing networks are reachable targets. The fix in 2.0.0-beta.3 adds the missing early return so the function aborts when traversal is detected. See the GitHub Security Advisory GHSA-6qcc-6q27-whp8 for maintainer details.
Detection Methods for CVE-2026-35471
Indicators of Compromise
- HTTP DELETE or delete-action requests to goshs containing ../, ..%2f, or URL-encoded traversal sequences in the path or query parameters.
- Unexpected file deletions outside the directory served by goshs, especially in user home directories or adjacent application paths.
- goshs process logs showing path traversal warnings immediately followed by successful delete responses.
Detection Strategies
- Inspect web access logs for delete requests against goshs endpoints with encoded or literal traversal patterns.
- Run version inventory queries to flag any host running goshs 2.0.0-beta1 or 2.0.0-beta2.
- Correlate goshs network activity with file system delete events on the host to identify out-of-scope deletions.
Monitoring Recommendations
- Alert on any goshs instance listening on an interface reachable from untrusted networks.
- Forward goshs logs and host file integrity events to a central data lake for correlation and retention.
- Monitor for new goshs binary deployments using software inventory or EDR telemetry, since the tool is frequently introduced ad hoc by operators.
How to Mitigate CVE-2026-35471
Immediate Actions Required
- Upgrade all goshs deployments to version 2.0.0-beta.3 or later.
- Stop and remove any internet-exposed goshs instance until patched.
- Restrict goshs to loopback or trusted management networks where feasible.
- Audit the file systems of hosts that ran vulnerable goshs versions for unexpected deletions.
Patch Information
The maintainer released the fix in goshs 2.0.0-beta.3, which adds the missing return after the path traversal check in tdeleteFile(). Download the patched release from the goshs GitHub repository and review the GHSA-6qcc-6q27-whp8 advisory for confirmation.
Workarounds
- Disable the delete capability when launching goshs, or run the server in read-only mode.
- Bind goshs to 127.0.0.1 and access it through SSH port forwarding instead of exposing it on a network interface.
- Run goshs under a low-privilege account inside a chroot or container so traversal cannot reach sensitive files.
- Place goshs behind an authenticating reverse proxy that rejects requests containing traversal sequences.
# Configuration example: launch goshs in read-only mode bound to localhost
goshs -i 127.0.0.1 -p 8000 -ro
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
