Skip to main content

goshs CVE-2026-50138

HIGH
Improper Access Control (CWE-284)
2026-07-01 https://github.com/patrickhener/goshs GHSA-3whc-qvhv-xqjp
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.1 HIGH

Authenticated WebDAV write/delete gives high integrity impact (I:H); confidentiality is only partial and mode-specific (C:L); PR:L reflects required BasicAuth credentials; network vector, low complexity.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 22:22 vuln.today
CVE Published
Jul 01, 2026 - 21:56 github-advisory
HIGH 8.1

DescriptionGitHub Advisory

WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags

Ecosystem: Go Package: goshs.de/goshs/v2 (github.com/patrickhener/goshs) Affected: <= v2.0.9 (every release that ships the WebDAV handler)

Summary

When goshs is launched with WebDAV enabled (-w), the mode-restriction flags --read-only, --upload-only, and --no-delete are enforced only on the primary HTTP port. The WebDAV port is wired straight to golang.org/x/net/webdav.Handler with no equivalent guard, so an authenticated WebDAV client can PUT, DELETE, MKCOL, MOVE, and COPY despite the operator's stated intent.

Details

httpserver/server.go:207-238 - the WebDAV mux registers only IPWhitelistMiddleware, ServerHeaderMiddleware, and optionally BasicAuthMiddleware. There is no fs.ReadOnly || fs.UploadOnly || fs.NoDelete check on the WebDAV path. The HTTP mux in the same file (lines 134-204) does check these flags on every state-changing route.

Proof of concept

bash
mkdir -p /tmp/r && echo secret > /tmp/r/x.txt
goshs -p 18000 -wp 18001 -w -ro -d /tmp/r -b admin:pw &

curl -u admin:pw -X PUT    http://localhost:18000/y.txt --data x
# 403  (HTTP enforces -ro)
curl -u admin:pw -X PUT    http://localhost:18001/y.txt --data x
# 201  (WebDAV writes anyway)
curl -u admin:pw -X DELETE http://localhost:18001/x.txt
# 204  (WebDAV deletes anyway)
curl -u admin:pw -X MKCOL  http://localhost:18001/pwned/
# 201  (WebDAV creates dir)

Impact

  • Integrity - --read-only and --no-delete are silently downgraded to "no protection" on the WebDAV port. Any WebDAV client (curl, cadaver, Windows Explorer, Finder) can overwrite/delete files.
  • Confidentiality - --upload-only is also bypassed: WebDAV GET/PROPFIND still return file contents.
  • Trust - operators using goshs -w -ro -d /srv/case-files -b reviewer:pw to deliver engagement artifacts believe the directory is immutable. It isn't.

Suggested fix

Add a small http.HandlerFunc in front of wdHandler that maps WebDAV verbs to the existing mode flags:

go
wdGuard := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    switch r.Method {
    case http.MethodPut, "MKCOL", "MOVE", "COPY":
        if fs.ReadOnly || fs.UploadOnly { http.Error(w, "read-only", 403); return }
    case http.MethodDelete:
        if fs.ReadOnly || fs.UploadOnly || fs.NoDelete { http.Error(w, "delete disabled", 403); return }
    case http.MethodGet, "PROPFIND", "HEAD":
        if fs.UploadOnly { http.Error(w, "upload-only", 403); return }
    }
    wdHandler.ServeHTTP(w, r)
})

Add regression tests in integration/functions.go covering each mode flag × each WebDAV verb.

Reporter: Nishant Verma. Reproduced live against goshs v2.0.9 (commit 8fc1e91) on 2026-05-27.

AnalysisAI

Access-control bypass in the goshs WebDAV listener (Go package goshs.de/goshs/v2, all releases through v2.0.9) lets an authenticated WebDAV client write, delete, and create files even when the operator started the server with --read-only, --upload-only, or --no-delete. The mode-restriction flags are enforced only on the primary HTTP port, while the WebDAV port (-w/-wp) wires requests straight into golang.org/x/net/webdav.Handler with no guard, so PUT/DELETE/MKCOL/MOVE/COPY succeed regardless of operator intent. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed WebDAV port (-wp)
Delivery
Authenticate with valid BasicAuth credentials
Exploit
Send PUT/DELETE/MKCOL request
Execution
Bypass unenforced read-only/no-delete guard
Impact
Overwrite or delete protected files

Vulnerability AssessmentAI

Exploitation goshs must be started with the WebDAV listener enabled (-w, exposing the -wp port) AND with at least one mode-restriction flag set (--read-only/-ro, --upload-only, or --no-delete) - the vulnerability is precisely the failure to enforce those flags on WebDAV. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, base 8.1) indicates a network-reachable, low-complexity attack requiring low privileges (PR:L) - consistent with the described requirement that the attacker hold valid WebDAV credentials when BasicAuth is configured. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator runs `goshs -w -ro -d /srv/case-files -b reviewer:pw` to hand engagement artifacts to a reviewer, believing the directory is immutable. The reviewer (or anyone who obtains the reviewer:pw credentials) instead points a WebDAV client at the -wp port and issues PUT, DELETE, or MKCOL requests - as shown in the published PoC, these return 201/204 and silently overwrite or delete files despite -ro. …
Remediation No vendor-released patch version is identified in the available data; the advisory (GHSA-3whc-qvhv-xqjp) documents an upstream suggested fix - a small http.HandlerFunc placed in front of wdHandler that maps WebDAV verbs (PUT/MKCOL/MOVE/COPY, DELETE, GET/PROPFIND/HEAD) to the existing fs.ReadOnly/fs.UploadOnly/fs.NoDelete flags - but a released patched build is not independently confirmed, so operators should upgrade to the first goshs release above v2.0.9 that references this advisory once published and verify the fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory systems running goshs v2.0.9 or earlier (check go.mod/go.sum or running processes). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50138 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy