CVE-2026-40884
CVE-2026-40884
9.8
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6.
References
security-advisories@github.com
https://github.com/patrickhener/goshs/security/advisories/GHSA-c29w-qq4m-2gcv134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/patrickhener/goshs/security/advisories/GHSA-c29w-qq4m-2gcv