CVE-2026-40884 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 21, 2026
goshs - Authentication Bypass
Overview
goshs < 2.0.0-beta.6 contains an authentication bypass caused by missing SFTP password handler when using empty-username basic-auth syntax with -b ':pass' and -sftp, letting unauthenticated network attackers access files without a password, exploit requires specific server startup configuration.
Severity & Score
Impact
Unauthenticated attackers can access files via SFTP without a password, leading to unauthorized file access.
Mitigation
Upgrade to version 2.0.0-beta.6 or later.
Social Media Activity(2 posts)
š“ CVE-2026-40884 - Critical (9.8) goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accept... š https://www.thehackerwire.com/vulnerability/CVE-2026-40884/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-40884 - Critical (9.8) goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accept... š https://www.thehackerwire.com/vulnerability/CVE-2026-40884/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40884
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_authentication
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H