PT-2026-54775 · Goshs · Goshs
Published
2026-07-01
·
Updated
2026-07-07
·
CVE-2026-50138
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
goshs versions prior to 2.0.10
Description
When the WebDAV listener is enabled using the
-w flag, the software fails to enforce mode-restriction flags on the WebDAV port. While the primary HTTP port correctly respects the --read-only, --upload-only, and --no-delete flags, the WebDAV port is connected directly to the golang.org/x/net/webdav.Handler without these guards. This allows an authenticated WebDAV client to perform state-changing operations such as PUT, DELETE, MKCOL, MOVE, and COPY, even when the operator has explicitly restricted these actions. This bypass affects the integrity and confidentiality of the served files, as users can overwrite or delete data and access contents in upload-only mode.Recommendations
Update goshs to version 2.0.10 or later.
As a temporary workaround, avoid using the WebDAV listener (
-w flag) when mode restrictions like --read-only, --upload-only, or --no-delete are required.Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Goshs