Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads. This vulnerability is fixed in 2.2.4.
Published: 2026-03-13
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

An insufficient authorization check in Gokapi's file replace API allows an authenticated user with only list visibility permission (UserPermListOtherUploads) to delete files owned by other users by setting the deleteNewFile flag. This privilege escalation leads to unauthorized data deletion, affecting confidentiality and availability of stored files. The vulnerability is identified by CWE-863.

Affected Systems

All versions of Forceu Gokapi older than 2.2.4 are affected. The vulnerability is present in Gokapi releases prior to v2.2.4, as indicated in the Forceu advisory and the GitHub release notes. The affected product is listed under the CPE string cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:* and is used as a self‑hosted file sharing server.

Risk and Exploitability

The CVSS base score is 4.1, indicating low severity. EPSS score is less than 1 % and the vulnerability is not listed in CISA's KEV catalog, suggesting a low likelihood of exploitation in the wild. The attack vector requires authentication to the API and permission to list uploads; an attacker can exploit this by sending a crafted request to the file replace endpoint with deleteNewFile set to true. No public exploits have been reported, but administrators should still mitigate by updating.

Generated by OpenCVE AI on March 17, 2026 at 17:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gokapi to version 2.2.4 or later.
  • Verify that the Gokapi instance is running version 2.2.4 or newer.

Generated by OpenCVE AI on March 17, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j6jp-78w8-34x6 Gokapi vulnerable to Privilege Escalation in File Replace
History

Tue, 17 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Forceu
Forceu gokapi
Vendors & Products Forceu
Forceu gokapi

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads. This vulnerability is fixed in 2.2.4.
Title Gokapi has Privilege Escalation in File Replace
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Forceu Gokapi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T19:40:38.395Z

Reserved: 2026-03-07T17:34:39.979Z

Link: CVE-2026-30943

cve-icon Vulnrichment

Updated: 2026-03-13T19:40:33.761Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:35.573

Modified: 2026-03-17T13:48:39.590

Link: CVE-2026-30943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:19Z

Weaknesses