Cyber Resilience

CVE-2026-34581

HighPublic PoC

Published: 02 April 2026

Published
02 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0039 30.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34581 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Goshs Goshs. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).

Deeper analysis

CVE-2026-34581 is a vulnerability in goshs, a SimpleHTTPServer written in Go. It affects versions from 1.1.0 up to but not including 2.0.0-beta.2. The flaw enables bypassing the Share Token mechanism, which is intended to restrict downloads to selected files only, thereby granting access to all goshs functionalities, including code execution. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel).

A remote attacker requires no privileges and can exploit this over the network with low complexity, though user interaction is needed. By tricking a user into engaging with a malicious request or link involving the Share Token, the attacker can bypass restrictions to access full server capabilities, achieving high-impact confidentiality and integrity violations such as arbitrary code execution on the affected system.

The vulnerability has been patched in goshs version 2.0.0-beta.2. Mitigation involves updating to this version or later. Key resources include the patching commit at https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216, the release announcement at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2, and the GitHub security advisory at https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has…

more

been patched in version 2.0.0-beta.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing Go-based HTTP server (goshs) that grants unauthorized access to all functionalities including arbitrary code execution, directly enabling exploitation via T1190 and subsequent command/script execution via T1059.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40884Same product: Goshs Goshs
CVE-2026-40883Same product: Goshs Goshs
CVE-2026-40885Same product: Goshs Goshs
CVE-2026-40903Same product: Goshs Goshs
CVE-2026-40189Same product: Goshs Goshs
CVE-2026-40876Same product: Goshs Goshs
CVE-2026-40188Same product: Goshs Goshs
CVE-2026-44574Shared CWE-288
CVE-2025-2747Shared CWE-288
CVE-2025-69101Shared CWE-288

Affected Assets

goshs
goshs
2.0.0 · 1.1.0 — 2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely identification, reporting, and patching of flaws like this authentication bypass in goshs.

prevent

Mandates robust identification and authentication for non-organizational users, preventing bypass of the Share Token mechanism via alternate paths.

prevent

Enforces approved access authorizations, blocking unauthorized access to full goshs functionalities including code execution beyond share token restrictions.

References