Skip to main content

Suse CVE-2026-40189

| EUVDEUVD-2026-21591 CRITICAL
Missing Authorization (CWE-862)
2026-04-10 GitHub_M GHSA-wvhv-qcqf-f3cx
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:44 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-beta.4
EUVD ID Assigned
Apr 10, 2026 - 20:15 euvd
EUVD-2026-21591
Analysis Generated
Apr 10, 2026 - 20:15 vuln.today
CVE Published
Apr 10, 2026 - 19:44 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.

AnalysisAI

Critical authorization bypass in goshs (Go-based HTTP server) versions prior to 2.0.0-beta.4 allows unauthenticated attackers to upload, delete, and modify files in directories protected by .goshs ACL configurations. Attackers can execute state-changing operations (PUT uploads, POST /upload, directory creation via ?mkdir, file deletion via ?delete) without credentials, bypassing documented per-folder authentication mechanisms. Deleting the .goshs file itself removes authentication policies, enabling unrestricted access to previously protected content. Affects confidentiality, integrity, and availability of protected resources. No public exploit identified at time of analysis.

Technical ContextAI

Root cause is incomplete authorization enforcement (CWE-862). While goshs correctly validates credentials for directory listings and file reads against .goshs ACL policies, state-changing HTTP operations bypass these checks entirely. The vulnerability permits direct manipulation of the authorization policy file itself, creating a secondary attack path to remove all access controls.

RemediationAI

Vendor-released patch: upgrade to goshs version 2.0.0-beta.4 or later, which implements authorization checks for all state-changing routes. Official release available at https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4. The fix is implemented via commit f212c4f4a126556bab008f79758e21a839ef2c0f. Organizations unable to upgrade immediately should disable write operations by configuring goshs in read-only mode or restrict network access to trusted clients only. Review server logs for unauthorized file modifications, unexpected uploads, or .goshs file deletions. Complete security advisory with exploitation scenarios: https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-40189 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy