{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40884", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.719Z", "datePublished": "2026-04-21T19:39:25.698Z", "dateUpdated": "2026-04-21T19:39:25.698Z"}, "containers": {"cna": {"title": "goshs: Empty-username SFTP password authentication bypass in goshs", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-c29w-qq4m-2gcv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-c29w-qq4m-2gcv"}], "affected": [{"vendor": "patrickhener", "product": "goshs", "versions": [{"version": "< 2.0.0-beta.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:39:25.698Z"}, "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6."}], "source": {"advisory": "GHSA-c29w-qq4m-2gcv", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6."}], "id": "CVE-2026-40884", "lastModified": "2026-04-21T20:17:02.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:02.107", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-c29w-qq4m-2gcv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T06:43:17.177114+00:00", "value": {"mitigation_remediation": ["Upgrade to goshs version 2.0.0\u2011beta.6 or later, which implements proper SFTP authentication handling.", "If upgrading is not immediately possible, disable the SFTP feature or block inbound traffic to the SFTP port from untrusted networks.", "Avoid using the -b ':pass' syntax with an empty username in any configuration until a secure version is deployed."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated SFTP Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the patrickhener:goshs product in all releases prior to 2.0.0\u2011beta.6. The affected version information is explicitly limited to versions older than 2.0.0\u2011beta.6; no other vendor or product versions are listed.", "description_and_impact": "goshs, a lightweight HTTP and SFTP server written in Go, contains a flaw that allows an attacker to bypass authentication by exploiting the documented empty\u2011username syntax. When the server is launched with the arguments -b ':pass' and -sftp, it accepts the configuration but installs no SFTP password handler, giving an unauthenticated user the ability to open an SFTP session and read or write any files on the server. This constitutes a severe authentication failure (CWE\u2011306) that can lead to the compromise of application data and potentially broader system control.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity. The EPSS score is not available, but the lack of a KEV listing does not diminish the risk, as the vulnerability is readily exploitable over the network. Logically, an attacker can simply open an SFTP connection using the empty username syntax, achieving unauthenticated file access. Given the broad availability of the target and the lack of countermeasures, the likelihood of exploitation is high in environments where the service is exposed to the internet or untrusted networks."}}}}, "created": "2026-04-22T06:45:10.879471+00:00", "updated": "2026-04-22T06:45:10.879483+00:00", "vendors": []}