CVE-2026-29060 Gokapi — Exploit & Vulnerability Details MEDIUM

CVE-2026-29060

MEDIUM CVSS 3.1: 5.0 EPSS 0.01%

Parameter	Value
CVSS	5.0 (MEDIUM)
Fixed In	2.2.3
Type	CWE-284 (Improper Access Control)
Vendor	Gokapi
Public PoC	No

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi.

If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

None

No data modification

Availability

Low

Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-284 Improper Access Control

References 2

https://github.com/Forceu/Gokapi/releases/tag/v2.2.3

security-advisories@github.com

https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-30961

Forceu

4.3

CVE-2026-30955

Forceu

6.5

CVE-2026-30943

Forceu

4.1

CVE-2026-29084

Gokapi

4.6

CVE-2026-29061

Gokapi

5.4

Menu

CVE-2026-29060

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-30961

CVE-2026-30955

CVE-2026-30943

CVE-2026-29084

CVE-2026-29061

CVE Details

Editor's Choice

Menu

CVE-2026-29060

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-30961

CVE-2026-30955

CVE-2026-30943

CVE-2026-29084

CVE-2026-29061

CVE Details

Editor's Choice

Stay informed on cybersecurity