Authorization Bypass in goshs SimpleHTTPServer by Patrick Hener
CVE-2026-40189

9.3CRITICAL

Key Information:

Vendor

Patrickhener

Status
Goshs
Vendor
CVE Published:
10 April 2026

What is CVE-2026-40189?

The goshs SimpleHTTPServer, prior to version 2.0.0-beta.4, suffers from an authorization bypass flaw. The application implements access control for folder listings through a .goshs file but fails to apply these checks on state-changing routes. This vulnerability allows unauthenticated users to upload files via PUT requests, create directories, and delete files within directories that should be protected. By removing the .goshs file, attackers can expose restricted content, compromising the confidentiality, integrity, and availability of the system. Users are encouraged to upgrade to the latest version to mitigate this risk.

Affected Version(s)

goshs < 2.0.0-beta.4

References

https://github.com/patrickhener/goshs/security/advisories...
x_refsource_CONFIRM
https://github.com/patrickhener/goshs/commit/f212c4f4a126...
x_refsource_MISC
https://github.com/patrickhener/goshs/releases/tag/v2.0.0...
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.