CVE-2026-40884: Critical 9.8 Bypass Hits goshs SFTP Servers

In the fast-paced environment of penetration testing and CTF challenges, tools that prioritize speed and ease of use are invaluable. However, a critical security vulnerability has been identified in goshs, a popular, feature-rich replacement for Python’s SimpleHTTPServer.

The flaw, tracked as CVE-2026-40884, carries a CVSS score of 9.8, revealing that a specific configuration intended to secure the server actually leaves the front door wide open to unauthenticated attackers.

The vulnerability centers on how goshs handles SFTP authentication when using a specific basic-auth syntax. Users often employ the -b’:pass’ flag to set a password without a specified username.

While the server appears to accept this configuration alongside the -sftp flag, it fails to execute the most critical step: installing the SFTP password handler. As a result, the server stands ready to receive connections but possesses no mechanism to verify the password it was told to require.

An unauthenticated network attacker can connect to the SFTP service and access the entire exposed root directory without providing any credentials whatsoever.

Depending on the server’s mode and existing filesystem permissions, this bypass enables an external actor to:

• Read sensitive files within the SFTP root.
• Upload malicious payloads or unauthorized data.
• Rename or Delete existing files, leading to data loss or service disruption.

The vulnerability was successfully reproduced on the v2.0.0-beta.5 release. All versions up to and including v2.0.0-beta.5 are considered vulnerable.

Remediation Steps:

1. Upgrade Immediately: Users are strongly encouraged to move to v2.0.0-beta.6 or higher, where the authentication logic has been corrected.
2. Audit Configurations: If you rely on empty-username authentication, verify that your current version properly enforces password requirements for SFTP.
3. Validate Options: Developers are suggesting that if empty usernames are not intended for SFTP, the software should reject the -b':pass' syntax during initial option validation when SFTP is enabled.