<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Goshs (&lt;= V2.0.9) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/goshs--v2.0.9/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:23:58 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/goshs--v2.0.9/feed.xml" rel="self" type="application/rss+xml"/><item><title>goshs WebDAV Listener Bypasses Access Restriction Flags</title><link>https://feed.craftedsignal.io/briefs/2026-07-goshs-webdav-flag-bypass/</link><pubDate>Fri, 03 Jul 2026 12:23:58 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-goshs-webdav-flag-bypass/</guid><description>A vulnerability (CVE-2026-50138) in `goshs` versions up to `v2.0.9` allows an authenticated attacker to bypass intended access restriction flags like `--read-only`, `--upload-only`, and `--no-delete` when the WebDAV listener is enabled, leading to unauthorized file creation, modification, deletion, and content exfiltration on the server, compromising data integrity and confidentiality.</description><content:encoded><![CDATA[<p>A significant vulnerability, tracked as CVE-2026-50138, has been identified in the <code>goshs</code> HTTP server, specifically affecting versions <code>&lt;= v2.0.9</code>. When <code>goshs</code> is configured to enable its WebDAV listener via the <code>-w</code> flag, crucial access restriction flags such as <code>--read-only</code>, <code>--upload-only</code>, and <code>--no-delete</code> are not properly enforced on the WebDAV port. This oversight allows an authenticated attacker to perform unauthorized file operations, including creating, overwriting, deleting, moving, and copying files, despite the administrator's explicit configuration to prevent such actions. Furthermore, even with <code>--upload-only</code> enabled, file contents can be retrieved via WebDAV <code>GET</code> or <code>PROPFIND</code> requests. The core issue lies in the WebDAV mux being directly wired to <code>golang.org/x/net/webdav.Handler</code> without the necessary guard logic present in the primary HTTP handler, fundamentally undermining data integrity and confidentiality assurances for affected <code>goshs</code> deployments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An administrator deploys <code>goshs</code> with WebDAV enabled (<code>-w</code>), a data directory (<code>-d</code>), basic authentication (<code>-b</code>), and restrictive flags like <code>--read-only</code> (<code>-ro</code>) or <code>--no-delete</code>, expecting the WebDAV share to enforce these restrictions.</li>
<li>The attacker gains valid credentials for the <code>goshs</code> basic authentication, either through compromise or misconfiguration.</li>
<li>The attacker connects to the <code>goshs</code> WebDAV port (e.g., <code>http://localhost:18001</code>) and authenticates.</li>
<li>Despite <code>goshs</code> being configured with <code>--read-only</code>, the attacker sends an HTTP <code>PUT</code> request to create or overwrite a file on the WebDAV share (e.g., <code>curl -u admin:pw -X PUT http://localhost:18001/new_file.txt --data &quot;malicious content&quot;</code>).</li>
<li>The <code>goshs</code> WebDAV handler, lacking enforcement of the <code>--read-only</code> flag, successfully processes the <code>PUT</code> request, creating or modifying <code>new_file.txt</code>.</li>
<li>Similarly, the attacker sends an HTTP <code>DELETE</code> request to remove an existing file (e.g., <code>curl -u admin:pw -X DELETE http://localhost:18001/sensitive_data.txt</code>).</li>
<li>The WebDAV handler bypasses the <code>--no-delete</code> flag, successfully deleting <code>sensitive_data.txt</code>.</li>
<li>The attacker can further exfiltrate data by sending HTTP <code>GET</code> or <code>PROPFIND</code> requests, even if <code>--upload-only</code> was configured, revealing sensitive file contents.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability in <code>goshs</code> allows a complete bypass of intended access restrictions, leading to severe consequences for data integrity and confidentiality. Any operator utilizing <code>goshs</code> with WebDAV enabled and relying on flags like <code>--read-only</code> or <code>--no-delete</code> to protect sensitive directories from modification or deletion will find their data exposed. This can result in unauthorized data alteration, complete deletion of files, creation of malicious content, and unauthorized disclosure of confidential information. While no specific victim counts are provided, any organization using <code>goshs</code> up to version <code>v2.0.9</code> for sharing sensitive files in a restricted manner, especially as a &quot;read-only&quot; artifact delivery mechanism, is directly at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-50138 immediately</strong>: Upgrade <code>goshs</code> to a version greater than <code>v2.0.9</code> once a fix is released.</li>
<li><strong>Review <code>goshs</code> deployments</strong>: Operators running <code>goshs</code> with WebDAV enabled (<code>-w</code>) should re-evaluate their security posture, especially if relying on <code>--read-only</code>, <code>--upload-only</code>, or <code>--no-delete</code> flags.</li>
<li><strong>Implement network segmentation</strong>: For <code>goshs</code> instances serving WebDAV, restrict network access to the WebDAV port to only trusted internal networks or specific IP addresses to limit exposure.</li>
<li><strong>Disable WebDAV if not strictly necessary</strong>: If WebDAV functionality is not a core requirement, disable it entirely to mitigate the risk of CVE-2026-50138.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>webserver</category><category>misconfiguration</category><category>vulnerability</category><category>cve</category></item></channel></rss>