CVE-2026-40876
Published: 21 April 2026
Summary
CVE-2026-40876 is a high-severity Path Traversal (CWE-22) vulnerability in Goshs Goshs. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of SFTP path inputs to prevent path traversal attacks exploiting flawed prefix-based checks in sanitizePath().
Directly mitigates the vulnerability by applying the vendor fix in version 2.0.0-beta.6 or later to remediate the path sanitization flaw.
Enforces authorized access to filesystem paths within the SFTP root, countering escapes via crafted sibling paths like /tmp/goshsroot_evil/secret.txt.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in SFTP server directly enables exploitation of public-facing app (T1190) for arbitrary local file read (T1005), directory listing (T1083), and file writes for tool ingress (T1105).
NVD Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks…
more
the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6.
Deeper analysisAI
goshs, a SimpleHTTPServer written in Go, is affected by CVE-2026-40876 prior to version 2.0.0-beta.6. The vulnerability is an SFTP root escape stemming from flawed prefix-based path validation in the sanitizePath() function within sftpserver/helper.go. This function performs a raw string-prefix comparison rather than a proper directory-boundary check, allowing paths like /tmp/goshsroot_evil/secret.txt to pass validation when the configured SFTP root is /tmp/goshsroot. SFTP requests are routed through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards operations to sinks like readFile, writeFile, listFile, and cmdFile that all rely on the vulnerable sanitizePath(). The issue is classified as CWE-22 (Path Traversal) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated SFTP user can exploit this vulnerability over the network with low complexity and no user interaction. By crafting paths that share a prefix with the configured root but reside outside it, the attacker can perform arbitrary read and write operations on the filesystem, breaking the intended jail boundary and potentially exposing or modifying unrelated server files.
The vulnerability is addressed in goshs version 2.0.0-beta.6. Security advisories recommend updating to this version or later to mitigate the issue. Further details are provided in the GitHub security advisory at https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824.
Details
- CWE(s)