Platform
go
Component
github.com/patrickhener/goshs
Fixed in
2.0.1
1.1.5
CVE-2026-40189 is a critical authorization bypass vulnerability affecting versions of goshs up to 1.1.4. An unauthenticated attacker can leverage this flaw to upload files, create directories, delete files, and even remove the .goshs file, effectively disabling authentication for a directory. The vulnerability has been published on 2026-04-10, and a fix is available in version 2.0.0-beta.4.
This vulnerability poses a significant risk because it allows complete control over protected resources within a goshs-managed directory. An attacker can upload malicious files, potentially leading to remote code execution if those files are processed by the application. The ability to delete the .goshs file removes all authentication controls, granting the attacker unrestricted access to all files and directories previously protected by the .goshs configuration. This could result in data breaches, defacement, or complete compromise of the system. The impact is amplified if the goshs directory contains sensitive configuration files or application code.
CVE-2026-40189 is not currently listed on KEV. The EPSS score is likely to be medium or high due to the ease of exploitation and the critical impact. Public proof-of-concept code is likely to emerge given the straightforward nature of the bypass. The vulnerability was publicly disclosed on 2026-04-10.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade to version 2.0.0-beta.4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block unauthorized PUT, POST /upload, and ?delete requests to goshs endpoints. Carefully review and restrict file upload permissions within the goshs configuration. Monitor goshs logs for suspicious activity, particularly attempts to access or modify the .goshs file. Implement strict input validation to prevent malicious file uploads.
Update goshs to version 2.0.0-beta.4 or higher to mitigate the authorization bypass vulnerability. This update implements the necessary authorization checks for state-changing routes, preventing unauthorized file uploads, directory creation, and file deletion.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40189 is a critical authorization bypass vulnerability in Goshs versions up to 1.1.4, allowing unauthenticated attackers to upload, delete, and modify files.
You are affected if you are using Goshs version 1.1.4 or earlier. Check your version and upgrade immediately.
Upgrade to version 2.0.0-beta.4 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While there are no confirmed reports of active exploitation, the ease of exploitation suggests it is likely to be targeted soon.
Refer to the Goshs project's repository and release notes for the official advisory and details on the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.