CVE-2026-40189

Name of the Vulnerable Software and Affected Versions goshs versions prior to 2.0.0-beta.4

Description goshs, a SimpleHTTPServer written in Go, had an authorization bypass. Prior to version 2.0.0-beta.4, the software enforced ACL/basic-auth mechanisms for directory listings and file reads, but did not apply the same checks to state-changing routes. An unauthenticated attacker could upload files using PUT or multipart POST /upload, create directories with ?mkdir, and delete files with ?delete within a .goshs-protected directory. Deleting the .goshs file removed the folder's auth policy, allowing access to previously protected content. This impacted confidentiality, integrity, and availability. The project's README documented file-based ACLs as a security feature. The read/list path correctly enforced .goshs, but state-changing routes bypassed this logic. The vulnerability allowed unauthorized modification and potential removal of protected content.

Recommendations Update to version 2.0.0-beta.4 or later to resolve this issue.