NIXPKGS-2026-1219

GitHub issue published on

Permalink CVE-2026-40884

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 4 hours ago by @LeSuisse Activity log

Created automatic suggestion 16 hours ago
@LeSuisse accepted 5 hours ago
@LeSuisse published on GitHub 4 hours ago

goshs: Empty-username SFTP password authentication bypass in goshs

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network attacker can connect to the SFTP service and access files without a password. This vulnerability is fixed in 2.0.0-beta.6.

References

https://github.com/patrickhener/goshs/security/advisories/GHSA-c29w-qq4m-2gcv x_refsource_CONFIRM

Affected products

goshs

==< 2.0.0-beta.6

Matching in nixpkgs

pkgs.goshs

Simple, yet feature-rich web server written in Go

nixos-unstable 2.0.1
- nixpkgs-unstable 2.0.1
- nixos-unstable-small 2.0.1
nixos-25.11 2.0.0-beta.3
- nixos-25.11-small 2.0.0-beta.3
- nixpkgs-25.11-darwin 2.0.0-beta.3

Package maintainers

@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@SEIAROTg SEIAROTg
@fabaff Fabian Affolter <mail@fabian-affolter.ch>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1219

References

Affected products

Matching in nixpkgs

pkgs.goshs

Package maintainers