CVE-2026-40189: Critical Authorization Bypass in goshs State-Changing Routes
Vulnerability ID: CVE-2026-40189
CVSS Score: 9.3
Published: 2026-04-10
CVE-2026-40189 is a critical authorization bypass vulnerability in goshs, a Go-based simple HTTP server. Due to missing authorization checks on state-changing endpoints, unauthenticated attackers can delete access control lists, resulting in full read and write access to protected directories.
TL;DR
Unauthenticated attackers can bypass goshs directory protections by deleting the .goshs ACL file via exposed state-changing routes, granting full read/write access.
Technical Details
- CWE ID: CWE-862
- Attack Vector: Network
- CVSS 4.0: 9.3
- Impact: High (Confidentiality, Integrity, Availability)
- Exploit Status: None (No active exploitation)
- KEV Status: Not Listed
- Patch Version: 2.0.0-beta.4
Affected Systems
- goshs SimpleHTTPServer instances prior to version 2.0.0-beta.4
-
goshs: < 2.0.0-beta.4 (Fixed in:
2.0.0-beta.4)
Code Analysis
Commit: f212c4f
Fix commit implementing findEffectiveACL and preventing .goshs deletion
Mitigation Strategies
- Upgrade application to patched version
- Implement file system read-only permissions for ACL files
- Deploy WAF rules blocking state-changing methods targeting .goshs strings
Remediation Steps:
- Download goshs version 2.0.0-beta.4 or later.
- Stop the running goshs service.
- Replace the goshs binary with the downloaded version.
- Restart the goshs service.
- Verify file permissions on all .goshs files to ensure the goshs service user has only read access where possible.
References
- GitHub Security Advisory GHSA-wvhv-qcqf-f3cx
- Fix Commit f212c4f4a126556bab008f79758e21a839ef2c0f
- Release v2.0.0-beta.4
- CVE-2026-40189 Record
Read the full report for CVE-2026-40189 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)