CVE-2026-40884

Name of the Vulnerable Software and Affected Versions goshs version v2.0.0-beta.5

Description An authentication bypass exists in the SFTP service when the server is configured using the basic authentication syntax with an empty username, such as using the -b variable with the format ':pass'. In this configuration, the software fails to install an SFTP password handler, allowing an unauthenticated network attacker to connect to the SFTP service and access files without providing a password. This can lead to unauthorized reading, uploading, renaming, and deleting of files within the configured SFTP root.

Recommendations For version v2.0.0-beta.5, avoid using the -b variable with an empty username (e.g., ':pass') when the -sftp option is enabled to prevent unauthenticated access.