Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4.
Published: 2026-03-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

An API endpoint in Gokapi accepts unbounded request bodies without a size limit, which allows an authenticated user to send a maliciously large payload that triggers an out‑of‑memory condition, leading to an OOM kill of the application and complete service disruption for all users. This vulnerability represents a classic example of an unbounded resource consumption flaw, identified as CWE-400.

Affected Systems

The vulnerability affects the open source file sharing server Gokapi, specifically versions prior to 2.2.4; users of Gokapi 2.2.3 or earlier are impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. EPSS is reported as under 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated user with access to the vulnerable API endpoint; successful exploitation results in a Denial of Service that impacts all users of the affected instance.

Generated by OpenCVE AI on March 17, 2026 at 17:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gokapi to version 2.2.4 or later to apply the DoS fix.

Generated by OpenCVE AI on March 17, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qwc6-vc2v-2ggj Gokapi vulnerable to DoS in E2E Metadata Parser
History

Tue, 17 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Forceu
Forceu gokapi
Vendors & Products Forceu
Forceu gokapi

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4.
Title Gokapi vulnerable to DoS in E2E Metadata Parser
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Forceu Gokapi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T19:39:58.108Z

Reserved: 2026-03-07T17:34:39.981Z

Link: CVE-2026-30955

cve-icon Vulnrichment

Updated: 2026-03-13T19:39:54.957Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:35.740

Modified: 2026-03-17T13:46:57.010

Link: CVE-2026-30955

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:18Z

Weaknesses