GHSA-3whc-qvhv-xqjp: goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags
The goshs WebDAV listener in versions up to 2.0.9 ignores the mode-restriction flags --read-only, --upload-only, and --no-delete. These flags are enforced on the primary HTTP port but not on the WebDAV port, allowing authenticated WebDAV clients to perform unauthorized write, delete, and directory operations. This leads to unintended modification and deletion of files despite operator configuration.
AI Analysis
Technical Summary
In goshs versions <= 2.0.9, when the WebDAV listener is enabled, the mode flags --read-only, --upload-only, and --no-delete are not enforced on the WebDAV port. The WebDAV handler is directly wired to golang.org/x/net/webdav.Handler without checks for these flags, unlike the primary HTTP mux which enforces them on state-changing routes. This allows authenticated WebDAV clients to PUT, DELETE, MKCOL, MOVE, and COPY files regardless of the intended restrictions, effectively bypassing the operator's access control settings.
Potential Impact
The integrity of files is compromised because the --read-only and --no-delete flags are effectively disabled on the WebDAV port, allowing overwrites and deletions. Confidentiality is also impacted since --upload-only is bypassed, permitting file reads via WebDAV GET and PROPFIND methods. Operators relying on these flags to protect directories from modification or deletion are misled, resulting in trust violations and potential data loss or unauthorized changes.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The suggested fix involves adding an HTTP handler in front of the WebDAV handler to enforce the mode flags on WebDAV verbs. Until an official fix is released, operators should avoid enabling the WebDAV listener with these mode flags or restrict access to the WebDAV port to trusted clients only.
GHSA-3whc-qvhv-xqjp: goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags
Description
The goshs WebDAV listener in versions up to 2.0.9 ignores the mode-restriction flags --read-only, --upload-only, and --no-delete. These flags are enforced on the primary HTTP port but not on the WebDAV port, allowing authenticated WebDAV clients to perform unauthorized write, delete, and directory operations. This leads to unintended modification and deletion of files despite operator configuration.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In goshs versions <= 2.0.9, when the WebDAV listener is enabled, the mode flags --read-only, --upload-only, and --no-delete are not enforced on the WebDAV port. The WebDAV handler is directly wired to golang.org/x/net/webdav.Handler without checks for these flags, unlike the primary HTTP mux which enforces them on state-changing routes. This allows authenticated WebDAV clients to PUT, DELETE, MKCOL, MOVE, and COPY files regardless of the intended restrictions, effectively bypassing the operator's access control settings.
Potential Impact
The integrity of files is compromised because the --read-only and --no-delete flags are effectively disabled on the WebDAV port, allowing overwrites and deletions. Confidentiality is also impacted since --upload-only is bypassed, permitting file reads via WebDAV GET and PROPFIND methods. Operators relying on these flags to protect directories from modification or deletion are misled, resulting in trust violations and potential data loss or unauthorized changes.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The suggested fix involves adding an HTTP handler in front of the WebDAV handler to enforce the mode flags on WebDAV verbs. Until an official fix is released, operators should avoid enabling the WebDAV listener with these mode flags or restrict access to the WebDAV port to trusted clients only.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-3whc-qvhv-xqjp
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-50138"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a45998227e9c797194186d8
Added to database: 07/01/2026, 22:49:38 UTC
Last enriched: 07/01/2026, 22:50:02 UTC
Last updated: 07/02/2026, 00:55:31 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.