CVE-2026-29061

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. This issue has been patched in version 2.2.3.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/Forceu/Gokapi/releases/tag/v2.2.3	Release Notes
https://github.com/Forceu/Gokapi/security/advisories/GHSA-q658-hfpg-35qc	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-06 05:16

Updated : 2026-03-09 18:50

NVD link : CVE-2026-29061

Mitre link : CVE-2026-29061

CVE.ORG link : CVE-2026-29061

JSON object : View

Products Affected

forceu

gokapi

CWE

CWE-284

Improper Access Control

{"id": "CVE-2026-29061", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-03-06T05:16:40.903", "references": [{"url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-q658-hfpg-35qc", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. This issue has been patched in version 2.2.3."}, {"lang": "es", "value": "Gokapi es un servidor de intercambio de archivos autoalojado con expiraci\u00f3n autom\u00e1tica y soporte de cifrado. Antes de la versi\u00f3n 2.2.3, una vulnerabilidad de escalada de privilegios en la l\u00f3gica de degradaci\u00f3n de rango de usuario permite que las claves API existentes de un usuario degradado retengan los permisos ApiPermManageFileRequests y ApiPermManageLogs, lo que permite el acceso continuo a los puntos finales de gesti\u00f3n de solicitudes de carga y visualizaci\u00f3n de registros despu\u00e9s de que al usuario se le hayan retirado todos los privilegios. Este problema ha sido parcheado en la versi\u00f3n 2.2.3."}], "lastModified": "2026-03-09T18:50:07.253", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8645BF69-6E20-4571-ABA4-A9C590D032C8", "versionEndExcluding": "2.2.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}