Auth bypass in Patrickhener Goshs

CVE-2026-40189

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for sta…

Vulnerability class: Broken Access Control

EPSS: 0.001 (16.2th percentile) — read the EPSS interpretation.

Affected products

Patrickhener Goshs — versions < 2.0.0-beta.4

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx (x_refsource_CONFIRM)
https://github.com/patrickhener/goshs/commit/f212c4f4a126556bab008f79758e21a839ef2c0f (x_refsource_MISC)
https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4 (x_refsource_MISC)