CVE-2026-29060

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/Forceu/Gokapi/releases/tag/v2.2.3	Release Notes
https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

History

09 Mar 2026, 18:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:forceu:gokapi::::::::
First Time		Forceu Forceu gokapi
References	~~() https://github.com/Forceu/Gokapi/releases/tag/v2.2.3 -~~	() https://github.com/Forceu/Gokapi/releases/tag/v2.2.3 - Release Notes
References	~~() https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4 -~~	() https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4 - Vendor Advisory

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) Gokapi es un servidor de intercambio de archivos autoalojado con soporte para expiración automática y cifrado. Antes de la versión 2.2.3, un usuario registrado sin privilegios para crear o modificar solicitudes de archivos puede crear una clave API de corta duración que tiene permiso para hacerlo. El usuario debe estar registrado en Gokapi. Si no hay usuarios con acceso al menú de administración/carga, no hay impacto. Este problema ha sido parcheado en la versión 2.2.3.

06 Mar 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 05:16

Updated : 2026-03-09 18:52

NVD link : CVE-2026-29060

Mitre link : CVE-2026-29060

CVE.ORG link : CVE-2026-29060

JSON object : View

Products Affected

forceu

gokapi

CWE

CWE-284

Improper Access Control

{"id": "CVE-2026-29060", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.1}]}, "published": "2026-03-06T05:16:40.620", "references": [{"url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3."}, {"lang": "es", "value": "Gokapi es un servidor de intercambio de archivos autoalojado con soporte para expiraci\u00f3n autom\u00e1tica y cifrado. Antes de la versi\u00f3n 2.2.3, un usuario registrado sin privilegios para crear o modificar solicitudes de archivos puede crear una clave API de corta duraci\u00f3n que tiene permiso para hacerlo. El usuario debe estar registrado en Gokapi. Si no hay usuarios con acceso al men\u00fa de administraci\u00f3n/carga, no hay impacto. Este problema ha sido parcheado en la versi\u00f3n 2.2.3."}], "lastModified": "2026-03-09T18:52:32.457", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8645BF69-6E20-4571-ABA4-A9C590D032C8", "versionEndExcluding": "2.2.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}