Critical SFTP Auth Bypass in goshs SimpleHTTPServer

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityauthentication-bypasscwe-306
Critical SFTP Auth Bypass in goshs SimpleHTTPServer

The National Vulnerability Database has disclosed a critical authentication bypass (CVE-2026-40884) affecting goshs, a SimpleHTTPServer written in Go. Prior to version 2.0.0-beta.6, goshs configurations using the -b ':pass' flag alongside -sftp are vulnerable. This specific syntax, intended for an empty-username basic authentication, fails to install an SFTP password handler.

This misconfiguration allows unauthenticated network attackers to connect to the SFTP service without providing any credentials. Once connected, they gain unauthorized access to files hosted by the goshs instance. The National Vulnerability Database assigns this vulnerability a CVSS score of 9.8 (Critical), underscoring the severe impact of unauthenticated file access.

Defenders must immediately audit their goshs deployments. Any instance running versions prior to 2.0.0-beta.6 with the -b ':pass' and -sftp flags enabled is exposed. The fix is available in goshs version 2.0.0-beta.6, which addresses this critical flaw by correctly handling the SFTP password configuration.

What This Means For You

  • If your organization uses `goshs` as a SimpleHTTPServer, immediately check your deployment configuration. Specifically, look for versions prior to 2.0.0-beta.6 combined with the `-b ':pass'` and `-sftp` flags. An unauthenticated attacker can currently access your files without a password. Patch to 2.0.0-beta.6 or later without delay.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1560.001 Archive via Utility Collection

🛡️ Detection Rules

6 rules · 6 SIEM formats

6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-40884

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40884 Auth Bypass goshs SimpleHTTPServer versions prior to 2.0.0-beta.6
CVE-2026-40884 Auth Bypass SFTP authentication bypass when using empty-username basic-auth syntax with '-b ':pass' and '-sftp' flags

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 21, 2026 at 23:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

HKUDS OpenHarness Default Config Exposes Systems (CVE-2026-6823)

CVE-2026-6823 — HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote...

vulnerabilityCVEhigh-severitycwe-276
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma

Critical AVideo XSS Vulnerability Exposes Admin Settings

CVE-2026-40925 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site...

vulnerabilityCVEhigh-severitycwe-352
/SCW Vulnerability Desk /HIGH /8.3 /⚑ 5 IOCs /⚙ 3 Sigma

Critical RCE in AVideo YPTSocket Plugin: Unauthenticated Account Takeover

CVE-2026-40911 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies...

vulnerabilityCVEcriticalhigh-severitycwe-94
/SCW Vulnerability Desk /CRITICAL /10 /⚑ 2 IOCs /⚙ 3 Sigma