CVE-2026-40189
Published: 10 April 2026
Summary
CVE-2026-40189 is a critical-severity Missing Authorization (CWE-862) vulnerability in Goshs Goshs. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for all logical access to system resources, directly addressing the failure to apply ACL/basic-auth checks to state-changing routes like PUT, POST/upload, mkdir, and delete.
Implements a reference monitor mediating all access attempts between subjects and objects, ensuring consistent enforcement of per-folder authorizations across all goshs server operations including those bypassing checks.
Requires timely flaw remediation through upgrade to goshs 2.0.0-beta.4, which fixes the authorization bypass allowing unauthenticated file modifications and policy deletion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web server (T1190) for unauthorized file upload (T1105) and deletion (T1070.004) via unprotected HTTP endpoints.
NVD Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can…
more
upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.
Deeper analysisAI
CVE-2026-40189 is a critical authorization bypass vulnerability (CWE-862) in goshs, a SimpleHTTPServer implementation written in Go. In versions prior to 2.0.0-beta.4, the server enforces per-folder .goshs ACL/basic-auth mechanisms for directory listings and file reads, but fails to apply the same checks to state-changing routes. This allows unauthorized modifications within protected directories, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated remote attacker can exploit this vulnerability by sending requests such as PUT to upload files, multipart POST to /upload, ?mkdir to create directories, or ?delete to remove files, all within .goshs-protected directories. By specifically deleting the .goshs file itself, the attacker can eliminate the folder's authentication policy, gaining unauthorized access to previously protected content. This compromises confidentiality, integrity, and availability of served files.
The vulnerability is fixed in goshs version 2.0.0-beta.4. Security practitioners should upgrade to this version or later. Relevant resources include the fixing commit at https://github.com/patrickhener/goshs/commit/f212c4f4a126556bab008f79758e21a839ef2c0f, the release page at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4, and the GitHub security advisory at https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx.
Details
- CWE(s)