CVE-2026-34581

Name of the Vulnerable Software and Affected Versions goshs versions 1.1.0 through 2.0.0-beta.2

Description goshs, a SimpleHTTPServer written in Go, has a flaw where the Share Token mechanism can be bypassed. This bypass allows unauthorized access to all goshs functionalities, including code execution. Specifically, the BasicAuthMiddleware incorrectly prioritizes the ?token= parameter check before credential verification. If a valid token exists in SharedLinks, the request bypasses authentication entirely, even if the ?ws (WebSocket) parameter is present. This allows an attacker to access features intended to be restricted, such as directory listing, file deletion, clipboard access, WebSocket connections, and CLI command execution. A proof-of-concept (PoC) demonstrates the ability to execute commands like id and cat /etc/passwd without authentication using a share token.

Recommendations Update goshs to version 2.0.0-beta.2 or later.