CVE-2026-28682

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.3

Description Gokapi is a self-hosted file sharing server that supports automatic expiration and encryption. The upload status Server-Sent Events (SSE) implementation on the /uploadStatus API endpoint publishes global upload state to any authenticated user and includes file id values that are not limited to the requesting user. This can lead to cross-tenant data exposure and loss of confidentiality for uploaded documents, as authenticated users can observe other users' file identifiers and retrieve unauthorized content.

Recommendations Update to version 2.2.3 or later.