Gokapi
CVE-2026-29061
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. This issue has been patched in version 2.2.3.
AnalysisAI
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 5.4 MEDIUM]
Technical ContextAI
Classified as CWE-284 (Improper Access Control). Affects Gokapi. Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. This issue has been patched in version 2.2.3.
RemediationAI
Fixed in version 2.2.3.. Restrict network access to the affected service where possible.
Stored XSS in Gokapi through malicious SVG file uploads enables authenticated attackers to execute arbitrary JavaScript
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 6.4 MEDIUM]
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encr
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly n
Privilege escalation in Gokapi prior to version 2.2.3 allows authenticated users to generate API keys with elevated perm
Gokapi versions prior to 2.2.3 lack CSRF protection on the login endpoint, allowing authenticated attackers to perform u
Same weakness CWE-284 – Improper Access Control
View allSame technique Privilege Escalation
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
GHSA-q658-hfpg-35qc