CVE-2026-34581
Published: 02 April 2026
Summary
CVE-2026-34581 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Goshs Goshs. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely identification, reporting, and patching of flaws like this authentication bypass in goshs.
Mandates robust identification and authentication for non-organizational users, preventing bypass of the Share Token mechanism via alternate paths.
Enforces approved access authorizations, blocking unauthorized access to full goshs functionalities including code execution beyond share token restrictions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing Go-based HTTP server (goshs) that grants unauthorized access to all functionalities including arbitrary code execution, directly enabling exploitation via T1190 and subsequent command/script execution via T1059.
NVD Description
goshs is a SimpleHTTPServer written in Go. From version 1.1.0 to before version 2.0.0-beta.2, when using the Share Token it is possible to bypass the limited selected file download with all the gosh functionalities, including code exec. This issue has…
more
been patched in version 2.0.0-beta.2.
Deeper analysisAI
CVE-2026-34581 is a vulnerability in goshs, a SimpleHTTPServer written in Go. It affects versions from 1.1.0 up to but not including 2.0.0-beta.2. The flaw enables bypassing the Share Token mechanism, which is intended to restrict downloads to selected files only, thereby granting access to all goshs functionalities, including code execution. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
A remote attacker requires no privileges and can exploit this over the network with low complexity, though user interaction is needed. By tricking a user into engaging with a malicious request or link involving the Share Token, the attacker can bypass restrictions to access full server capabilities, achieving high-impact confidentiality and integrity violations such as arbitrary code execution on the affected system.
The vulnerability has been patched in goshs version 2.0.0-beta.2. Mitigation involves updating to this version or later. Key resources include the patching commit at https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216, the release announcement at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2, and the GitHub security advisory at https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g.
Details
- CWE(s)