EXECUTIVE SUMMARY:
CVE-2026-40884 with a CVSS score of 9.8 is a critical authentication bypass vulnerability affecting goshs SFTP servers. The flaw specifically impacts versions up to and including v2.0.0-beta.5, where a configuration intended to secure the server leaves the front door open to unauthenticated attackers. The vulnerability centers on how goshs handles SFTP authentication when using a specific basic-auth syntax, specifically when employing the -b’:pass’ flag to set a password without a specified username. An unauthenticated network attacker can connect to the SFTP service, access the entire exposed root directory, and perform malicious actions such as reading sensitive files, uploading unauthorized data, renaming or deleting existing files, leading to data loss or service disruption. Depending on the server’s mode and existing filesystem permissions, this bypass grants an external actor the capability to manipulate and compromise sensitive data and functionality. The business impact and consequences of exploitation could be significant, including unauthorized data access, service disruption, and reputational damage. To exploit this vulnerability, no prerequisites or conditions are required other than network access to the affected SFTP service.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40884 with a CVSS score of 9.8 is a critical authentication bypass vulnerability affecting goshs SFTP servers. The flaw specifically impacts versions up to and including v2.0.0-beta.5, where a configuration intended to secure the server leaves the front door open to unauthenticated attackers. The vulnerability centers on how goshs handles SFTP authentication when using a specific basic-auth syntax, specifically when employing the -b’:pass’ flag to set a password without a specified username. An unauthenticated network attacker can connect to the SFTP service, access the entire exposed root directory, and perform malicious actions such as reading sensitive files, uploading unauthorized data, renaming or deleting existing files, leading to data loss or service disruption. Depending on the server’s mode and existing filesystem permissions, this bypass grants an external actor the capability to manipulate and compromise sensitive data and functionality. The business impact and consequences of exploitation could be significant, including unauthorized data access, service disruption, and reputational damage. To exploit this vulnerability, no prerequisites or conditions are required other than network access to the affected SFTP service.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update goshs to version v2.0.0-beta.6 or higher.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/goshs-sftp-authentication-bypass-cve-2026-40884/