CVE-2026-28682 - Vulnerability Details

- Gokapi: Data Leak in Upload Status Stream

Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3.

Published: 2026-03-06

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the server‑side event (SSE) implementation used to stream upload status to any authenticated client. The stream publishes a global set of upload records, including the identifier of every file in the system, regardless of the requesting user’s ownership. A logged‑in attacker or a benign user could therefore observe file identifiers belonging to other users, potentially revealing the existence of files they should not access. This flaw is a classic information‑disclosure weakness and also violates proper access control, as evidenced by the CWE‑200 and CWE‑284 classifications.

Affected Systems

Any installation of Forceu Gokapi that runs a version earlier than 2.2.3 is affected. The vulnerability became known after release of v2.2.3 and is absent in all later releases. No other products or vendors are listed as affected.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score is reported as less than 1%, implying that exploitation is unlikely at this time, and the vulnerability is not present in CISA’s Known Exploited Vulnerabilities catalog. However, because the attack requires an authenticated session, an attacker could leverage this to enumerate files among users of a shared deployment, which can assist in planning further attacks or in data exfiltration. The risk is therefore moderate but mitigated by the low likelihood of public exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Forceu

Gokapi

affected

Version	Status	Constraints
`< 2.2.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Forceu

Gokapi

100%

Version	Status	Scheme	Platform
`[0,2.2.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Gokapi to version 2.2.3 or later, which removes the global upload state exposure.
If an immediate upgrade is not possible, limit access to the /uploadStatus SSE endpoint by enforcing stricter authentication or ACL rules so that only the uploading user or an administrator can subscribe to the stream.
Monitor application logs for unexpected or repeated upload‑status requests from users that are not the owners of the listed files, and investigate any anomalous patterns.

Generated by OpenCVE AI on April 16, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-c36c-7pc2-f2ph	Gokapi has Data Leak in Upload Status Stream

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Forceu/Gokapi/releases/tag/v2.2.3
https://github.com/Forceu/Gokapi/security/advisories/GHSA-c36c-7pc2-f2ph

History

Mon, 09 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:forceu:gokapi::::::::

Fri, 06 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Forceu Forceu gokapi
Vendors & Products		Forceu Forceu gokapi

Fri, 06 Mar 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3.
Title		Gokapi: Data Leak in Upload Status Stream
Weaknesses		CWE-200 CWE-284
References		https://github.com/Forceu/Gokapi/releases/tag/v2.2.3 https://github.com/Forceu/Gokapi/security/advisories/GHSA-c36c-7pc2-f2ph
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Forceu Gokapi

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-06T04:43:59.708Z

Updated: 2026-03-06T16:06:54.309Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28682

Vulnrichment

Updated: 2026-03-06T15:50:36.498Z

NVD

Status : Analyzed

Published: 2026-03-06T05:16:38.130

Modified: 2026-03-09T18:50:41.013

Link: CVE-2026-28682

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object