CVE-2026-40884
Published: 21 April 2026
Summary
CVE-2026-40884 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Goshs Goshs. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-9 (Service Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the SFTP authentication bypass by requiring timely remediation of the identified flaw through patching to version 2.0.0-beta.6.
Prevents the vulnerable configuration by establishing and enforcing secure settings that properly install SFTP password handlers when using the -b ':pass' flag with -sftp.
Ensures the SFTP service requires identification and authentication prior to allowing connections, countering the missing authentication handler.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a publicly exposed SFTP service (goshs with -sftp and -b ':pass'), allowing direct unauthenticated network access to files. This directly enables T1190 (Exploit Public-Facing Application) for initial access without credentials or user interaction.
NVD Description
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but…
more
does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6.
Deeper analysisAI
CVE-2026-40884 is an SFTP authentication bypass vulnerability in goshs, a SimpleHTTPServer implementation written in Go. The issue affects versions prior to 2.0.0-beta.6 and occurs when the server is configured with the documented empty-username basic-auth syntax via the -b ':pass' flag alongside the -sftp option. In this setup, goshs accepts the configuration but fails to install any SFTP password handler, enabling unauthorized access to the SFTP service. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function).
An unauthenticated attacker with network access to the affected goshs server can exploit this vulnerability by directly connecting to the exposed SFTP service. No privileges, user interaction, or special conditions are required beyond reaching the server over the network. Successful exploitation allows the attacker to access files on the server without providing credentials, potentially leading to full read/write access depending on the server's filesystem permissions and configuration.
The GitHub security advisory for goshs (GHSA-c29w-qq4m-2gcv) confirms that the vulnerability is fixed in version 2.0.0-beta.6, where proper SFTP password handling is implemented for the affected configuration. Security practitioners should upgrade to this version or later and review deployments using the -b ':pass' and -sftp flags to ensure authentication is enforced.
Details
- CWE(s)