The Flags Were Set. The Server Did Not Care.
On July 1, 2026, a high-severity advisory was published for goshs, a popular Go-based file server used as a drop-in replacement for Python's http.server. CVE-2026-50138 documents a straightforward failure: when WebDAV is enabled, the --read-only, --upload-only, and --no-delete command-line flags are completely ignored. Any WebDAV client can read, write, and delete files regardless of what the operator configured. The security controls exist in the interface. They do not exist in the enforcement layer.
goshs has 891 stars on GitHub and is explicitly built for red teamers and developers who need a feature-rich file server in seconds — HTTP/S, WebDAV, FTP/SFTP, SMB, LDAP, TLS, and authentication all in a single binary. The tool's appeal is speed of deployment. But speed of deployment without enforcement parity across protocols creates a specific class of risk: the operator believes restrictions are active because they set the flags. The server accepts the flags. It simply does not apply them to WebDAV.
Seven CVEs in Twelve Months for a Single File Server
CVE-2026-50138 is not an isolated finding. goshs has accumulated at least seven distinct CVEs between mid-2025 and mid-2026. CVE-2025-46816 disclosed that an unprotected route allowed unauthenticated command execution. CVE-2026-34581 — scored at CVSS 8.1 — revealed that share tokens bypassed authentication entirely, granting access to directory listing, file deletion, and arbitrary command execution. CVE-2026-42091 showed that wildcard CORS combined with missing CSRF protection allowed any website to write files to a goshs instance. CVE-2026-35393 documented path traversal in multipart uploads. CVE-2026-40189 exposed an ACL authorization bypass on state-changing routes.
Each vulnerability targets a different mechanism, but the pattern is consistent: access control logic that exists in one path but not another. Authentication that applies to HTTP but not WebSocket parameters. Mode flags that apply to the HTTP handler but not the WebDAV handler. ACLs that protect read operations but not write operations. The tool is not missing security features — it is missing enforcement consistency across its expanding protocol surface.
Broken Access Control: Still Number One
The OWASP Top 10 for 2025 placed Broken Access Control at the number one position for the second consecutive edition. The assessment found some form of broken access control in 100% of applications tested — up from 94% in the 2021 assessment. The average incidence rate held steady at 3.73% per application across 40 related CWEs. The goshs WebDAV bypass is a textbook instance: access control logic that applies to one interface but not another within the same application.
This pattern extends well beyond goshs. Quick-deploy file servers, internal development tools, and ad-hoc sharing services routinely implement access controls on their primary interface while leaving secondary protocols — WebDAV, FTP, API endpoints — without equivalent enforcement. The operator sees the flags. The documentation describes the restrictions. The secondary protocol ignores both.
Shadow IT File Servers Are Execution Surfaces
Gartner estimates that shadow IT accounts for 30 to 40% of IT spending in large enterprises. Developer file servers — tools like goshs, Python's http.server, and similar single-binary utilities — occupy a specific niche within that shadow: they are deployed for quick file transfers during development, penetration tests, and internal workflows, then left running. They are rarely inventoried, rarely monitored, and rarely updated. When the operator sets --read-only and trusts it, the exposure persists for as long as the server runs.
Shadow IT breaches cost an average of $4.63 million — 20% higher than standard incidents, primarily because detection takes longer when the asset is not in any inventory. A file server running with phantom access controls is worse than a file server running with no access controls. The operator without controls knows the server is open. The operator with phantom controls believes it is restricted. The difference is not technical. It is situational awareness — and that gap is where data walks out.
Configuration Is Not Enforcement
The goshs WebDAV bypass illustrates a principle that applies across infrastructure: the existence of a security configuration is not evidence that security is enforced. Flags, toggles, and policy files create the appearance of restriction. Enforcement requires that every protocol handler, every route, and every interface checks the same policy before executing. When a tool adds WebDAV support without wiring it into the existing access control checks, the configuration becomes theater.
For any organization running developer file servers — even temporarily, even internally — the finding demands a specific response: verify that access control flags produce the behavior they claim, across every protocol the server supports. Do not trust the documentation. Test the enforcement. If a flag does not produce a denial when it should, the flag is decoration. And in infrastructure, decoration that looks like security is the most dangerous kind.


