Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3.
Published: 2026-03-06
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via unauthorized API key creation
Action: Apply Patch
AI Analysis

Impact

A registered user who normally cannot create or modify file requests can generate a short‑lived API key that grants those privileges. The key is valid for a limited period, but during that time it allows the user to create or alter file requests, potentially exposing sensitive files or bypassing workflow controls. The weakness corresponds to improper privilege handling (CWE‑284).

Affected Systems

Forceu Gokapi servers running any version before 2.2.3 are affected. The issue is resolved in version 2.2.3 and newer. No impact exists if no users have access to the admin/upload menu.

Risk and Exploitability

The CVSS score of 5 indicates moderate risk, while an EPSS score of less than 1% suggests a very low yet non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a legitimate registered account and involves creating an API key; the attack vector is likely local or web‑based via the Gokapi API.

Generated by OpenCVE AI on April 16, 2026 at 11:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gokapi to version 2.2.3 or later to apply the vendor patch that removes the privilege escalation path.
  • Restrict or disable the ability for users without request‑management privileges to generate API keys that include create/modify permissions.
  • Re‑evaluate and enforce access controls on the admin/upload menu and API token scopes to ensure only authorized users can create or modify file requests.

Generated by OpenCVE AI on April 16, 2026 at 11:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m2hx-wjxc-9fp4 Gokapi has privilege escalation with auth token
History

Mon, 09 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Forceu
Forceu gokapi
Vendors & Products Forceu
Forceu gokapi

Fri, 06 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3.
Title Gokapi: Privilege escalation with auth token
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Forceu Gokapi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:06:32.551Z

Reserved: 2026-03-03T17:50:11.244Z

Link: CVE-2026-29060

cve-icon Vulnrichment

Updated: 2026-03-06T15:50:34.463Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:40.620

Modified: 2026-03-09T18:52:32.457

Link: CVE-2026-29060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses