CVE-2026-29061 - Vulnerability Details

- Gokapi: Privilege escalation via incomplete API-key permission revocation on user rank demotion

Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. This issue has been patched in version 2.2.3.

Published: 2026-03-06

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in Gokapi's user rank demotion logic allows a demoted user to retain certain API permissions tied to existing API keys. The permissions "ApiPermManageFileRequests" and "ApiPermManageLogs" remain active even after the user has been stripped of all privileges, giving the attacker continued access to upload‑request management and log viewing endpoints. This escalation could enable unauthorized configuration changes or access to sensitive data through the file sharing service.

Affected Systems

Forceu Gokapi self‑hosted file sharing server. Versions prior to 2.2.3 are affected. The vulnerability occurs in all installations that have demoted users and have not applied the 2.2.3 release.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4 and an EPSS score of less than 1%, indicating a moderate severity but low likelihood of exploitation. It is not listed in the CISA KEV catalog. Attackers would require a demoted user account that still retains an API key, which suggests the flaw is exploitable after legitimate role changes without additional privileges. The risk is primarily to users who are incorrectly allowed to maintain API access after demotion.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Forceu

Gokapi

affected

Version	Status	Constraints
`< 2.2.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Forceu

Gokapi

100%

Version	Status	Scheme	Platform
`[0,2.2.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to Gokapi version 2.2.3 or later to remove the privilege escalation bug.
Revoke all API keys for users who have been demoted and regenerate keys for legitimate users to ensure proper permission revocation.
Verify that the API permissions for remediated users no longer include "ApiPermManageFileRequests" or "ApiPermManageLogs" through direct API tests or administrative checks.
Review role and permission policies in the application to confirm that future rank changes trigger complete revocation of related API privileges.

Generated by OpenCVE AI on April 16, 2026 at 11:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-q658-hfpg-35qc	Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00007.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Forceu/Gokapi/releases/tag/v2.2.3
https://github.com/Forceu/Gokapi/security/advisories/GHSA-q658-hfpg-35qc

History

Mon, 09 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:forceu:gokapi::::::::

Fri, 06 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Forceu Forceu gokapi
Vendors & Products		Forceu Forceu gokapi

Fri, 06 Mar 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. This issue has been patched in version 2.2.3.
Title		Gokapi: Privilege escalation via incomplete API-key permission revocation on user rank demotion
Weaknesses		CWE-284
References		https://github.com/Forceu/Gokapi/releases/tag/v2.2.3 https://github.com/Forceu/Gokapi/security/advisories/GHSA-q658-hfpg-35qc
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Forceu Gokapi

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-06T04:45:15.404Z

Updated: 2026-03-06T16:06:23.367Z

Reserved: 2026-03-03T17:50:11.245Z

Link: CVE-2026-29061

Vulnrichment

Updated: 2026-03-06T15:50:32.424Z

NVD

Status : Analyzed

Published: 2026-03-06T05:16:40.903

Modified: 2026-03-09T18:50:07.253

Link: CVE-2026-29061

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object