{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/acl/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["authorization bypass","acl","file upload","file deletion","CVE-2026-40189"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Goshs web server is susceptible to a critical authorization bypass (CVE-2026-40189) affecting versions up to and including 1.1.4 and v2.0.0-beta.3. The vulnerability stems from inconsistent enforcement of file-based ACLs defined by \u003ccode\u003e.goshs\u003c/code\u003e files. While the application correctly enforces authorization for reading and listing files, state-changing routes such as PUT, POST /upload, ?mkdir, and ?delete do not perform the same authorization checks. This allows unauthenticated attackers to upload, create, and delete files within directories that should be protected by authentication. The most severe impact arises from the ability to delete the \u003ccode\u003e.goshs\u003c/code\u003e file itself, thereby removing the authentication requirement and exposing previously protected content. This vulnerability undermines the intended security mechanisms of Goshs, posing a significant risk to data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Goshs instance utilizing \u003ccode\u003e.goshs\u003c/code\u003e files for access control.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated PUT request to upload a file to a protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/updown.go:18-60\u003c/code\u003e. Example: \u003ccode\u003ePUT /protected/put-created.txt\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker sends an unauthenticated multipart POST request to \u003ccode\u003e/upload\u003c/code\u003e endpoint to upload a file to a protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/updown.go:63-165\u003c/code\u003e. Example: \u003ccode\u003ePOST /protected/upload\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request with the \u003ccode\u003e?mkdir\u003c/code\u003e parameter to create a directory within the protected directory, bypassing ACL checks via \u003ccode\u003ehttpserver/handler.go:901-937\u003c/code\u003e. Example: \u003ccode\u003e/?mkdir=new_directory\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request with the \u003ccode\u003e?delete\u003c/code\u003e parameter targeting the \u003ccode\u003e.goshs\u003c/code\u003e file within the protected directory, leveraging the vulnerable route in \u003ccode\u003ehttpserver/handler.go:679-698\u003c/code\u003e. Example: \u003ccode\u003e/.goshs?delete\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe server deletes the \u003ccode\u003e.goshs\u003c/code\u003e file using \u003ccode\u003eos.RemoveAll()\u003c/code\u003e, effectively removing the access control restrictions for the directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated request to access previously protected files, which are now accessible due to the absence of the \u003ccode\u003e.goshs\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information and can perform further malicious actions, such as deleting or modifying critical files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to bypass intended access controls in Goshs deployments. This can lead to unauthorized access to sensitive files, potentially exposing confidential information. Attackers can also create, modify, or delete files within protected directories, causing data corruption or service disruption. The ability to delete the \u003ccode\u003e.goshs\u003c/code\u003e file directly amplifies the impact, as it permanently removes the authentication barrier, affecting all previously protected content. This vulnerability poses a significant threat to the confidentiality, integrity, and availability of Goshs-hosted data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch or upgrade to a version of Goshs that addresses CVE-2026-40189.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Goshs Unauthenticated .goshs Deletion\u0026rdquo; to your SIEM to detect attempts to remove \u003ccode\u003e.goshs\u003c/code\u003e ACL files via the \u003ccode\u003e?delete\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Goshs Unauthenticated PUT Request to Protected Directories\u0026rdquo; to detect unauthorized file uploads to protected directories.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for PUT, POST, and DELETE requests targeting directories containing \u003ccode\u003e.goshs\u003c/code\u003e files to identify potential exploitation attempts. (Log Source: webserver)\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T20:02:46Z","date_published":"2026-04-10T20:02:46Z","id":"/briefs/2026-04-goshs-acl-bypass/","summary":"Goshs is vulnerable to an authorization bypass (CVE-2026-40189) due to inconsistent enforcement of .goshs ACLs on state-changing routes, allowing an unauthenticated attacker to manipulate files within protected directories and bypass authentication barriers.","title":"Goshs File-Based ACL Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-goshs-acl-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Acl","version":"https://jsonfeed.org/version/1.1"}