CVE-2026-40884 Overview
CVE-2026-40884 is an authentication bypass vulnerability in goshs, a SimpleHTTPServer written in Go. Prior to version 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password.
Critical Impact
This vulnerability allows unauthenticated remote attackers to bypass SFTP authentication entirely, potentially gaining unauthorized access to sensitive files and data on the server without providing any credentials.
Affected Products
- goshs versions prior to 2.0.0-beta.6
- goshs installations using empty-username basic-auth syntax (-b ':pass') with SFTP enabled (-sftp)
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40884 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40884
Vulnerability Analysis
This vulnerability is classified as CWE-306: Missing Authentication for Critical Function. The root cause lies in a configuration handling flaw where goshs fails to properly initialize an SFTP password handler when using the empty-username basic authentication syntax. When an administrator starts the server with the -b ':pass' flag combined with the -sftp flag, the application accepts this configuration without error but critically fails to enforce any authentication on the SFTP service.
The vulnerability enables network-based attacks without requiring any user interaction or prior authentication. An attacker can achieve complete compromise of confidentiality, integrity, and availability of files accessible through the SFTP service. This is particularly concerning as SFTP is commonly used to transfer sensitive data and may provide access to critical system files depending on the server's configuration.
Root Cause
The vulnerability stems from improper handling of the empty-username basic authentication configuration. When goshs parses the -b ':pass' argument (where the username portion before the colon is empty), it fails to install any SFTP password handler. This creates a condition where the SFTP service runs without authentication enforcement, allowing any network client to connect and access files without providing credentials.
The configuration parsing logic does not validate that a proper authentication handler is installed for all enabled services, leading to this authentication bypass condition.
Attack Vector
The attack is network-based and can be executed remotely without any prior authentication or user interaction. An attacker simply needs network access to the SFTP port on a vulnerable goshs instance configured with the empty-username basic-auth syntax.
The exploitation process involves:
- Identifying a goshs server running with -b ':pass' and -sftp flags enabled
- Connecting to the SFTP service using any SFTP client
- Authenticating with any username and no password (or bypassing authentication entirely)
- Gaining unauthorized access to files served by the goshs instance
For technical details on the vulnerability mechanics, see the GitHub Security Advisory.
Detection Methods for CVE-2026-40884
Indicators of Compromise
- Unexpected SFTP connections from unknown IP addresses without corresponding successful authentication log entries
- Unauthenticated file access or transfer activity on the SFTP service
- Presence of goshs processes running with -b ':pass' and -sftp flags in combination
- Anomalous file read or write operations through the SFTP protocol
Detection Strategies
- Audit running goshs instances for vulnerable configurations using the -b ':pass' and -sftp flag combination
- Monitor SFTP connection logs for authentication bypass patterns where connections succeed without valid credentials
- Implement network monitoring to detect SFTP connections to goshs servers from unexpected sources
- Review process lists and startup scripts for vulnerable goshs configurations
Monitoring Recommendations
- Enable comprehensive logging for all SFTP connection attempts and file access operations
- Deploy network intrusion detection rules to identify unauthenticated SFTP session patterns
- Implement file integrity monitoring on directories served by goshs SFTP services
- Configure alerts for SFTP connections that do not have corresponding authentication success events
How to Mitigate CVE-2026-40884
Immediate Actions Required
- Upgrade goshs to version 2.0.0-beta.6 or later immediately
- If immediate upgrade is not possible, disable the SFTP service by removing the -sftp flag until patching is complete
- Audit all goshs deployments to identify instances using the vulnerable -b ':pass' configuration pattern
- Review file access logs to identify any potential unauthorized access that may have occurred prior to remediation
Patch Information
The vulnerability has been fixed in goshs version 2.0.0-beta.6. Organizations should upgrade to this version or later to remediate the vulnerability. The fix ensures that proper SFTP authentication handlers are installed even when using the empty-username basic authentication syntax. Additional details are available in the GitHub Security Advisory.
Workarounds
- Disable SFTP functionality by removing the -sftp flag from goshs startup commands until the upgrade can be performed
- Use a proper username in the basic authentication configuration (e.g., -b 'user:pass' instead of -b ':pass')
- Implement network-level access controls to restrict SFTP port access to authorized hosts only
- Deploy a reverse proxy or firewall rule to block external SFTP connections until the vulnerability is patched
# Configuration example - Safe goshs startup with proper authentication
# Use explicit username instead of empty-username syntax
goshs -sftp -b 'admin:securepassword'
# Alternative: Disable SFTP until patched
goshs -b ':pass'
# (Note: Remove -sftp flag to disable vulnerable SFTP service)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
