CVE-2026-40189 – goshs has a file-based ACL authorization bypass in goshs state-changing routes

Posted on April 11, 2026
CVE ID :CVE-2026-40189

Published : April 10, 2026, 8:16 p.m. | 4 hours, 23 minutes ago

Description :goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder’s auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.

Severity: 9.3 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

🤖 AI-Generated Patch Solution

Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-40189

Unknown
N/A
⚠️ Vulnerability Description:

1. IMMEDIATE ACTIONS

Immediately isolate any affected systems running the AcmeCorp Enterprise API Gateway (hypothetical product name for context) from public networks. This involves restricting network access to only essential internal services and trusted administrative hosts.
Review all access logs for the AcmeCorp Enterprise API Gateway, as well as underlying server operating system logs, for any indicators of compromise. Look for unusual login attempts, unauthorized access, unexpected process execution, or file modifications.
Force password resets for all administrative accounts associated with the AcmeCorp Enterprise API Gateway and any connected systems or databases. Ensure new passwords meet strong complexity requirements and are not reused.
If possible without causing critical business disruption, temporarily disable the affected API Gateway service or route traffic through a known secure alternative. This can prevent further exploitation while a patch or robust mitigation is developed and deployed.
Block any observed malicious IP addresses at the perimeter firewall or network access control lists (ACLs) that show signs of attempting to exploit this vulnerability.

2. PATCH AND UPDATE INFORMATION

Actively monitor the official security advisories and support channels provided by AcmeCorp (hypothetical vendor) for

💡 AI-generated — review with a security professional before acting.View on NVD →
Post Views: 4