CVE-2026-29084 - Vulnerability Details

- Gokapi: CSRF in Login Endpoint

Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation. This issue has been patched in version 2.2.3.

Published: 2026-03-06

Score: 4.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Gokapi, a self-hosted file sharing server, has a CSRF vulnerability in its login endpoint that allows an attacker to create an authenticated session without the victim’s knowledge. The flaw arises because the server accepts credential-bearing requests during the login flow without tying them to a browser session or CSRF token. Successfully exploited, this weakness can lead to unauthorized access to the attacker’s account or a session that can be used to hijack subsequent operations. The weakness is categorized as CWE‑352, a form of input validation and context‑sensitive attack.

Affected Systems

All deployments of Gokapi versions earlier than 2.2.3 are susceptible to this issue. The affected product is Forceu Gokapi as listed by the CNA, and any installation using any release older than 2.2.3 is impacted. The vulnerability is mitigated in the 2.2.3 release and later.

Risk and Exploitability

The CVSS base score of 4.6 indicates a moderate degree of risk, and the EPSS score of less than 1 % reflects a very low likelihood of exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalogue. Attackers can exploit it via a crafted CSRF request sent from a compromised or malicious web page that a victim visits, exploiting the browser’s cross‑origin request capability. No special prerequisites beyond user interaction are required, making the attack straightforward for a determined adversary.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Forceu

Gokapi

affected

Version	Status	Constraints
`< 2.2.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Forceu

Gokapi

100%

Version	Status	Scheme	Platform
`[0,2.2.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Gokapi to version 2.2.3 or later to apply the CSRF protection fix.
If an upgrade cannot be performed immediately, restrict or disable access to the login endpoint for untrusted hosts until the patch is applied.
Ensure that login forms are protected by a CSRF token or otherwise enforce state‑changing request validation as a temporary measure.

Generated by OpenCVE AI on April 16, 2026 at 11:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hcff-qv74-7hr4	Gokapi has CSRF in Login Endpoint

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00004.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Forceu/Gokapi/releases/tag/v2.2.3
https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4

History

Mon, 09 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:forceu:gokapi::::::::

Fri, 06 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Forceu Forceu gokapi
Vendors & Products		Forceu Forceu gokapi

Fri, 06 Mar 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation. This issue has been patched in version 2.2.3.
Title		Gokapi: CSRF in Login Endpoint
Weaknesses		CWE-352
References		https://github.com/Forceu/Gokapi/releases/tag/v2.2.3 https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4
Metrics		cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}`

Subscriptions

Forceu Gokapi

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-06T04:45:29.563Z

Updated: 2026-03-06T16:06:15.878Z

Reserved: 2026-03-03T20:51:43.484Z

Link: CVE-2026-29084

Vulnrichment

Updated: 2026-03-06T15:50:30.378Z

NVD

Status : Analyzed

Published: 2026-03-06T05:16:41.180

Modified: 2026-03-09T18:53:50.580

Link: CVE-2026-29084

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object