CVE-2026-40876 Overview
CVE-2026-40876 is a path traversal vulnerability in goshs, a SimpleHTTPServer written in Go. Prior to version 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files.
Critical Impact
Authenticated attackers can escape the SFTP jail boundary to read sensitive files or write malicious content anywhere on the filesystem accessible to the goshs process, potentially leading to unauthorized data access, data tampering, or server compromise.
Affected Products
- goshs versions prior to 2.0.0-beta.6
Discovery Timeline
- 2026-04-21 - CVE-2026-40876 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40876
Vulnerability Analysis
This path traversal vulnerability stems from an insecure path validation mechanism in the goshs SFTP subsystem. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into the readFile, writeFile, listFile, and cmdFile functions. All of these sinks rely on sanitizePath() in sftpserver/helper.go for path validation.
The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal.
Root Cause
The root cause lies in the sanitizePath() function within sftpserver/helper.go. This function uses a raw string-prefix comparison rather than a proper directory-boundary check. Because of this flawed approach, if the configured SFTP root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix.
This prefix-based validation fails to properly verify that paths resolve to actual subdirectories of the intended root, allowing attackers to construct paths that share the same prefix but reference locations outside the jail.
Attack Vector
The attack requires network access and low-privilege authentication to the SFTP service. Once authenticated, an attacker can craft specially constructed file paths that share the same prefix as the configured SFTP root but actually reference sibling directories or files outside the intended boundary.
For example, if the SFTP root is configured as /tmp/goshsroot, an attacker could request files from /tmp/goshsroot_evil/ or /tmp/goshsrootanything/ since these paths begin with the same string prefix as the legitimate root. This allows reading arbitrary files from or writing malicious content to any filesystem location accessible to the goshs process.
The vulnerability mechanism is described in the GitHub Security Advisory with full technical details.
Detection Methods for CVE-2026-40876
Indicators of Compromise
- SFTP access logs showing requests to paths with the SFTP root prefix followed by unexpected characters (e.g., underscores, additional path components)
- File access or modification events on directories sibling to the configured SFTP root
- Unauthorized read access to sensitive system files such as /etc/passwd or configuration files
- Unexpected file writes in directories adjacent to the SFTP root directory
Detection Strategies
- Monitor SFTP session logs for path access patterns that share the root prefix but deviate from expected subdirectory structure
- Implement file integrity monitoring on critical system files and directories adjacent to SFTP root paths
- Analyze goshs process file access using system auditing tools to detect reads/writes outside the intended root
Monitoring Recommendations
- Enable verbose logging in goshs to capture full SFTP request paths
- Configure host-based intrusion detection systems (HIDS) to alert on file access patterns consistent with path traversal attempts
- Review goshs SFTP root configurations to identify instances where sibling paths with similar prefixes could be exploited
How to Mitigate CVE-2026-40876
Immediate Actions Required
- Upgrade goshs to version 2.0.0-beta.6 or later immediately
- Audit SFTP access logs for any historical exploitation attempts using prefix-based path escape
- Review file system permissions to ensure the goshs process runs with minimal required privileges
- Consider temporarily disabling SFTP functionality until the upgrade is complete
Patch Information
This vulnerability is fixed in goshs version 2.0.0-beta.6. The fix implements proper directory-boundary checking in the sanitizePath() function rather than relying on string-prefix comparison. Users should upgrade to this version or later to remediate the vulnerability.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Configure the SFTP root path to a unique directory name that is unlikely to have sibling directories with similar prefixes
- Run goshs in a containerized or sandboxed environment to limit filesystem access even if the jail is escaped
- Apply operating system-level access controls (chroot, AppArmor, SELinux) to restrict the goshs process filesystem access
- Implement network segmentation to limit which users can authenticate to the SFTP service
# Example: Run goshs with restrictive filesystem access using Docker
docker run --read-only \
-v /path/to/sftp/root:/sftp:rw \
--security-opt no-new-privileges \
goshs:2.0.0-beta.6
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
