SFTP Root Escape in goshs Affected by Prefix-Based Path Validation
CVE-2026-40876

8.7HIGH

Key Information:

Vendor: Patrickhener
Status: Goshs
Vendor: CVE Published:; 21 April 2026

🔔 Create Patrickhener Vulnerability Alert

What is CVE-2026-40876?

The goshs application, a SimpleHTTPServer developed in Go, is susceptible to a significant vulnerability wherein authenticated SFTP users can access and manipulate files beyond their designated SFTP root. This peril arises due to an inadequate prefix-based path validation mechanism, whereby the sanitization function fails to enforce a proper directory boundary check. Consequently, users can exploit this flaw to gain unauthorized access to adjacent file paths, potentially compromising sensitive data and disrupting server integrity. The issue has been rectified in version 2.0.0-beta.6.

Affected Version(s)

goshs < 2.0.0-beta.6

References

https://github.com/patrickhener/goshs/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40876 Data

JSON