{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/patrick-hener/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["goshs (\u003c= v2.0.9)"],"_cs_severities":["high"],"_cs_tags":["webserver","misconfiguration","vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["Patrick Hener"],"content_html":"\u003cp\u003eA significant vulnerability, tracked as CVE-2026-50138, has been identified in the \u003ccode\u003egoshs\u003c/code\u003e HTTP server, specifically affecting versions \u003ccode\u003e\u0026lt;= v2.0.9\u003c/code\u003e. When \u003ccode\u003egoshs\u003c/code\u003e is configured to enable its WebDAV listener via the \u003ccode\u003e-w\u003c/code\u003e flag, crucial access restriction flags such as \u003ccode\u003e--read-only\u003c/code\u003e, \u003ccode\u003e--upload-only\u003c/code\u003e, and \u003ccode\u003e--no-delete\u003c/code\u003e are not properly enforced on the WebDAV port. This oversight allows an authenticated attacker to perform unauthorized file operations, including creating, overwriting, deleting, moving, and copying files, despite the administrator's explicit configuration to prevent such actions. Furthermore, even with \u003ccode\u003e--upload-only\u003c/code\u003e enabled, file contents can be retrieved via WebDAV \u003ccode\u003eGET\u003c/code\u003e or \u003ccode\u003ePROPFIND\u003c/code\u003e requests. The core issue lies in the WebDAV mux being directly wired to \u003ccode\u003egolang.org/x/net/webdav.Handler\u003c/code\u003e without the necessary guard logic present in the primary HTTP handler, fundamentally undermining data integrity and confidentiality assurances for affected \u003ccode\u003egoshs\u003c/code\u003e deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator deploys \u003ccode\u003egoshs\u003c/code\u003e with WebDAV enabled (\u003ccode\u003e-w\u003c/code\u003e), a data directory (\u003ccode\u003e-d\u003c/code\u003e), basic authentication (\u003ccode\u003e-b\u003c/code\u003e), and restrictive flags like \u003ccode\u003e--read-only\u003c/code\u003e (\u003ccode\u003e-ro\u003c/code\u003e) or \u003ccode\u003e--no-delete\u003c/code\u003e, expecting the WebDAV share to enforce these restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains valid credentials for the \u003ccode\u003egoshs\u003c/code\u003e basic authentication, either through compromise or misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker connects to the \u003ccode\u003egoshs\u003c/code\u003e WebDAV port (e.g., \u003ccode\u003ehttp://localhost:18001\u003c/code\u003e) and authenticates.\u003c/li\u003e\n\u003cli\u003eDespite \u003ccode\u003egoshs\u003c/code\u003e being configured with \u003ccode\u003e--read-only\u003c/code\u003e, the attacker sends an HTTP \u003ccode\u003ePUT\u003c/code\u003e request to create or overwrite a file on the WebDAV share (e.g., \u003ccode\u003ecurl -u admin:pw -X PUT http://localhost:18001/new_file.txt --data \u0026quot;malicious content\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egoshs\u003c/code\u003e WebDAV handler, lacking enforcement of the \u003ccode\u003e--read-only\u003c/code\u003e flag, successfully processes the \u003ccode\u003ePUT\u003c/code\u003e request, creating or modifying \u003ccode\u003enew_file.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSimilarly, the attacker sends an HTTP \u003ccode\u003eDELETE\u003c/code\u003e request to remove an existing file (e.g., \u003ccode\u003ecurl -u admin:pw -X DELETE http://localhost:18001/sensitive_data.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe WebDAV handler bypasses the \u003ccode\u003e--no-delete\u003c/code\u003e flag, successfully deleting \u003ccode\u003esensitive_data.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker can further exfiltrate data by sending HTTP \u003ccode\u003eGET\u003c/code\u003e or \u003ccode\u003ePROPFIND\u003c/code\u003e requests, even if \u003ccode\u003e--upload-only\u003c/code\u003e was configured, revealing sensitive file contents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability in \u003ccode\u003egoshs\u003c/code\u003e allows a complete bypass of intended access restrictions, leading to severe consequences for data integrity and confidentiality. Any operator utilizing \u003ccode\u003egoshs\u003c/code\u003e with WebDAV enabled and relying on flags like \u003ccode\u003e--read-only\u003c/code\u003e or \u003ccode\u003e--no-delete\u003c/code\u003e to protect sensitive directories from modification or deletion will find their data exposed. This can result in unauthorized data alteration, complete deletion of files, creation of malicious content, and unauthorized disclosure of confidential information. While no specific victim counts are provided, any organization using \u003ccode\u003egoshs\u003c/code\u003e up to version \u003ccode\u003ev2.0.9\u003c/code\u003e for sharing sensitive files in a restricted manner, especially as a \u0026quot;read-only\u0026quot; artifact delivery mechanism, is directly at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-50138 immediately\u003c/strong\u003e: Upgrade \u003ccode\u003egoshs\u003c/code\u003e to a version greater than \u003ccode\u003ev2.0.9\u003c/code\u003e once a fix is released.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview \u003ccode\u003egoshs\u003c/code\u003e deployments\u003c/strong\u003e: Operators running \u003ccode\u003egoshs\u003c/code\u003e with WebDAV enabled (\u003ccode\u003e-w\u003c/code\u003e) should re-evaluate their security posture, especially if relying on \u003ccode\u003e--read-only\u003c/code\u003e, \u003ccode\u003e--upload-only\u003c/code\u003e, or \u003ccode\u003e--no-delete\u003c/code\u003e flags.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement network segmentation\u003c/strong\u003e: For \u003ccode\u003egoshs\u003c/code\u003e instances serving WebDAV, restrict network access to the WebDAV port to only trusted internal networks or specific IP addresses to limit exposure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable WebDAV if not strictly necessary\u003c/strong\u003e: If WebDAV functionality is not a core requirement, disable it entirely to mitigate the risk of CVE-2026-50138.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:23:58Z","date_published":"2026-07-03T12:23:58Z","id":"https://feed.craftedsignal.io/briefs/2026-07-goshs-webdav-flag-bypass/","summary":"A vulnerability (CVE-2026-50138) in `goshs` versions up to `v2.0.9` allows an authenticated attacker to bypass intended access restriction flags like `--read-only`, `--upload-only`, and `--no-delete` when the WebDAV listener is enabled, leading to unauthorized file creation, modification, deletion, and content exfiltration on the server, compromising data integrity and confidentiality.","title":"goshs WebDAV Listener Bypasses Access Restriction Flags","url":"https://feed.craftedsignal.io/briefs/2026-07-goshs-webdav-flag-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Patrick Hener","version":"https://jsonfeed.org/version/1.1"}