PT-2026-54775 · Goshs · Goshs

Published

2026-07-01

·

Updated

2026-07-07

·

CVE-2026-50138

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions goshs versions prior to 2.0.10
Description When the WebDAV listener is enabled using the -w flag, the software fails to enforce mode-restriction flags on the WebDAV port. While the primary HTTP port correctly respects the --read-only, --upload-only, and --no-delete flags, the WebDAV port is connected directly to the golang.org/x/net/webdav.Handler without these guards. This allows an authenticated WebDAV client to perform state-changing operations such as PUT, DELETE, MKCOL, MOVE, and COPY, even when the operator has explicitly restricted these actions. This bypass affects the integrity and confidentiality of the served files, as users can overwrite or delete data and access contents in upload-only mode.
Recommendations Update goshs to version 2.0.10 or later. As a temporary workaround, avoid using the WebDAV listener (-w flag) when mode restrictions like --read-only, --upload-only, or --no-delete are required.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-50138
GHSA-3WHC-QVHV-XQJP
GO-2026-5878

Affected Products

Goshs