CVE-2026-40189 Overview
CVE-2026-40189 is a critical authorization bypass vulnerability in goshs, a SimpleHTTPServer written in Go. Prior to version 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it fails to enforce the same authorization checks for state-changing routes. This allows an unauthenticated attacker to upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory.
Critical Impact
By deleting the .goshs file itself, an attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability.
Affected Products
- goshs versions prior to 2.0.0-beta.4
- goshs 2.0.0-beta1
- goshs 2.0.0-beta2
- goshs 2.0.0-beta3
Discovery Timeline
- April 10, 2026 - CVE-2026-40189 published to NVD
- April 14, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40189
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization). The goshs application implements a per-folder access control mechanism using .goshs configuration files that enforce basic authentication for directory listings and file read operations. However, the authorization enforcement was not consistently applied across all HTTP methods and routes.
The vulnerability allows network-accessible unauthenticated attackers to bypass the intended authentication mechanism entirely for write operations. The attack requires no user interaction and can be performed with low complexity, making it highly exploitable in environments where goshs is exposed to untrusted networks.
Root Cause
The root cause of this vulnerability is inconsistent authorization enforcement across different HTTP endpoints. While the .goshs ACL mechanism properly validates credentials for read operations (directory listings and file retrieval), the same authorization checks were not implemented for state-changing routes including:
- PUT requests for file uploads
- Multipart POST requests to /upload
- Directory creation via ?mkdir query parameter
- File deletion via ?delete query parameter
This inconsistency allowed attackers to modify protected directories without authentication while read access remained restricted.
Attack Vector
The attack can be performed remotely over the network without requiring authentication or user interaction. An attacker targeting a goshs instance with .goshs-protected directories can:
- Send unauthenticated PUT requests to upload arbitrary files to protected directories
- Use multipart POST requests to the /upload endpoint to upload files
- Create new directories using the ?mkdir query parameter
- Delete files, including the .goshs configuration file itself, using the ?delete query parameter
The most severe attack path involves deleting the .goshs file itself. Once removed, the folder's authentication policy is eliminated, granting the attacker full unauthenticated access to previously protected content. This attack chain effectively converts an authorization bypass for write operations into complete access to protected resources.
Detection Methods for CVE-2026-40189
Indicators of Compromise
- Unexpected PUT requests to protected directories from unauthenticated sources
- Multipart POST requests to /upload endpoints without valid authentication headers
- HTTP requests containing ?delete or ?mkdir query parameters from untrusted IP addresses
- Missing or modified .goshs files in directories that should be protected
- Unexplained file uploads, directory creations, or file deletions in access logs
Detection Strategies
- Monitor HTTP access logs for PUT, POST to /upload, and requests with ?delete or ?mkdir parameters that lack proper authentication headers
- Implement file integrity monitoring on .goshs configuration files to detect unauthorized modifications or deletions
- Deploy web application firewalls (WAF) with rules to detect and block unauthorized state-changing requests to goshs instances
- Review network traffic for suspicious patterns targeting goshs endpoints from untrusted sources
Monitoring Recommendations
- Enable detailed request logging in goshs to capture HTTP method, URI, query parameters, and authentication status
- Set up alerts for any modifications to .goshs files across protected directories
- Implement anomaly detection for unusual file upload or deletion patterns
- Regularly audit goshs access logs for requests that bypass expected authentication flows
How to Mitigate CVE-2026-40189
Immediate Actions Required
- Upgrade goshs to version 2.0.0-beta.4 or later immediately
- Audit protected directories for any unauthorized file uploads, directory creations, or file deletions
- Verify the integrity of all .goshs configuration files and restore any that may have been tampered with
- Restrict network access to goshs instances to trusted networks or implement additional authentication at the network layer
Patch Information
The vulnerability is fixed in goshs version 2.0.0-beta.4. The fix is available in commit f212c4f4a126556bab008f79758e21a839ef2c0f. Users should update to the patched version as soon as possible. For additional details, refer to the GitHub Security Advisory GHSA-wvhv-qcqf-f3cx and the official release v2.0.0-beta.4.
Workarounds
- Place goshs behind a reverse proxy with proper authentication enforcement for all HTTP methods
- Implement network-level access controls (firewall rules, VPN) to restrict access to trusted clients only
- Disable write functionality (--no-upload, --no-delete, --no-mkdir flags if available) until patching is complete
- Monitor and protect .goshs files using operating system-level file permissions to prevent unauthorized deletion
# Update goshs to the patched version
go install github.com/patrickhener/goshs@v2.0.0-beta.4
# Alternatively, download the release directly
wget https://github.com/patrickhener/goshs/releases/download/v2.0.0-beta.4/goshs_linux_amd64
chmod +x goshs_linux_amd64
# Verify goshs version after update
./goshs --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
