CVE-2026-34581 is an authentication bypass vulnerability classified under CWE-288, affecting goshs, a SimpleHTTPServer implemented in Go by patrickhener. The issue exists in versions from 1.1.0 up to but excluding 2.0.0-beta.2. When the Share Token feature is enabled, it is possible for an attacker to circumvent the intended limited file download restrictions. This bypass grants unauthorized access to all goshs functionalities, including the ability to execute arbitrary code remotely. The vulnerability arises due to improper validation or enforcement of access controls when using alternate paths or channels via the Share Token mechanism. The CVSS v3.1 score is 8.1 (high), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact includes full compromise of confidentiality and integrity of the server and its data, while availability remains unaffected. The flaw has been addressed in goshs version 2.0.0-beta.2, but no public exploit code or active exploitation has been reported to date. This vulnerability poses a significant risk to deployments exposing the Share Token feature, especially in environments where goshs serves sensitive files or is integrated into larger systems.

The vulnerability enables attackers to bypass authentication controls and gain unauthorized access to all functionalities of goshs, including remote code execution. This can lead to full compromise of the affected server, allowing attackers to read, modify, or delete sensitive files and execute arbitrary commands. Organizations relying on goshs for file sharing or HTTP serving could suffer data breaches, intellectual property theft, or system takeover. Since the attack vector is network-based and requires no privileges, any exposed instance with Share Token enabled is at risk. The requirement for user interaction slightly reduces exploitation ease but does not eliminate risk, especially in targeted phishing or social engineering scenarios. The compromise of integrity and confidentiality can have cascading effects if goshs is part of a larger infrastructure, potentially enabling lateral movement or persistent footholds. Although availability is not directly impacted, the overall security posture and trustworthiness of affected systems are severely undermined.

Immediate upgrade to goshs version 2.0.0-beta.2 or later is the primary mitigation step to address this vulnerability. Organizations should audit all deployments to identify instances running affected versions and disable or restrict the Share Token feature until patched. Implement network-level access controls such as firewalls or VPNs to limit exposure of goshs servers to trusted users only. Monitor logs for unusual access patterns related to Share Token usage and investigate any anomalies promptly. Employ multi-factor authentication and user training to reduce risks from social engineering that could facilitate user interaction required for exploitation. Consider isolating goshs instances in segmented network zones with minimal privileges to limit potential damage. Regularly review and update software dependencies and maintain an inventory of all goshs deployments to ensure timely patching. Finally, conduct penetration testing focused on authentication bypass scenarios to validate the effectiveness of mitigations.