CVE-2026-30961 - Vulnerability Details

- Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload

Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global MaxFileSizeMB are accepted regardless of the file request's configured limit. This vulnerability is fixed in 2.2.4.

Published: 2026-03-13

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw in Gokapi occurs in the chunked upload completion path for file requests where the total file size is not validated against the per‑request MaxSize limit. An attacker who possesses a public file request link can therefore split an oversized file into multiple chunks, each smaller than MaxSize, and upload them sequentially. This evades the intended size restriction, allowing the server to accept files up to the global MaxFileSizeMB limit. The impact is a loss of upload limiting controls and potential resource exhaustion, classified under CWE-770.

Affected Systems

Forceu Gokapi self‑hosted file sharing server is affected. All deployments running a version earlier than 2.2.4 are vulnerable because the bug is resolved in that release. Users should verify that their instance is not legacy and that a public file‑request link exists.

Risk and Exploitability

The CVSS score of 4.3 indicates low severity, while the EPSS of less than 1% suggests a low likelihood of real‑world exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is public, requiring only access to a file request link; no elevated privileges are necessary. Exploitation is straightforward: upload an oversized file in compliant chunks. Patched versions mitigate the issue.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Forceu

Gokapi

affected

Version	Status	Constraints
`< 2.2.4`	affected	—

Configuration 1 [-]

cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Forceu

Gokapi

100%

Version	Status	Scheme	Platform
`[0,2.2.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Gokapi to version 2.2.4 or later.

Generated by OpenCVE AI on March 17, 2026 at 17:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-45vh-rpc8-hxpp	Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Forceu/Gokapi/releases/tag/v2.2.4
https://github.com/Forceu/Gokapi/security/advisories/GHSA-45vh-rpc8-hxpp

History

Tue, 17 Mar 2026 14:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:forceu:gokapi::::::::

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Forceu Forceu gokapi
Vendors & Products		Forceu Forceu gokapi

Fri, 13 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global MaxFileSizeMB are accepted regardless of the file request's configured limit. This vulnerability is fixed in 2.2.4.
Title		Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload
Weaknesses		CWE-770
References		https://github.com/Forceu/Gokapi/releases/tag/v2.2.4 https://github.com/Forceu/Gokapi/security/advisories/GHSA-45vh-rpc8-hxpp
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Forceu Gokapi

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-13T19:09:38.427Z

Updated: 2026-03-13T19:39:14.146Z

Reserved: 2026-03-07T17:34:39.981Z

Link: CVE-2026-30961

Vulnrichment

Updated: 2026-03-13T19:39:10.071Z

NVD

Status : Analyzed

Published: 2026-03-13T19:54:35.903

Modified: 2026-03-17T13:46:12.297

Link: CVE-2026-30961

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T13:40:17Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object