CVE-2026-40876: SFTP root escape via prefix-based path validation in goshs

April 14, 2026 (updated April 27, 2026)

goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files.

References

github.com/advisories/GHSA-5h6h-7rc9-3824
github.com/patrickhener/goshs
github.com/patrickhener/goshs/releases/tag/v2.0.0
github.com/patrickhener/goshs/security/advisories/GHSA-5h6h-7rc9-3824
nvd.nist.gov/vuln/detail/CVE-2026-40876

Code Behaviors & Features

Detect and mitigate CVE-2026-40876 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →