CVE-2026-29084

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation. This issue has been patched in version 2.2.3.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Forceu/Gokapi/releases/tag/v2.2.3	Release Notes
https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*

History

09 Mar 2026, 18:53

Type	Values Removed	Values Added
References	~~() https://github.com/Forceu/Gokapi/releases/tag/v2.2.3 -~~	() https://github.com/Forceu/Gokapi/releases/tag/v2.2.3 - Release Notes
References	~~() https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4 -~~	() https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4 - Vendor Advisory
First Time		Forceu Forceu gokapi
CPE		cpe:2.3:a:forceu:gokapi::::::::

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) Gokapi es un servidor de intercambio de archivos autoalojado con expiración automática y soporte de cifrado. Antes de la versión 2.2.3, el flujo de inicio de sesión acepta solicitudes que contienen credenciales sin mecanismos de protección CSRF vinculados al contexto de la sesión del navegador. El gestor analiza los valores del formulario directamente y crea una sesión tras la validación exitosa de las credenciales. Este problema ha sido parcheado en la versión 2.2.3.

06 Mar 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 05:16

Updated : 2026-03-09 18:53

NVD link : CVE-2026-29084

Mitre link : CVE-2026-29084

CVE.ORG link : CVE-2026-29084

JSON object : View

Products Affected

forceu

gokapi

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2026-29084", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}]}, "published": "2026-03-06T05:16:41.180", "references": [{"url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation. This issue has been patched in version 2.2.3."}, {"lang": "es", "value": "Gokapi es un servidor de intercambio de archivos autoalojado con expiraci\u00f3n autom\u00e1tica y soporte de cifrado. Antes de la versi\u00f3n 2.2.3, el flujo de inicio de sesi\u00f3n acepta solicitudes que contienen credenciales sin mecanismos de protecci\u00f3n CSRF vinculados al contexto de la sesi\u00f3n del navegador. El gestor analiza los valores del formulario directamente y crea una sesi\u00f3n tras la validaci\u00f3n exitosa de las credenciales. Este problema ha sido parcheado en la versi\u00f3n 2.2.3."}], "lastModified": "2026-03-09T18:53:50.580", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8645BF69-6E20-4571-ABA4-A9C590D032C8", "versionEndExcluding": "2.2.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}