PT-2026-23604 · Gokapi · Gokapi

Forceu

Published

2026-03-05

Updated

2026-03-25

CVE-2026-29060

CVSS v3.1

5.0

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.3

Description Gokapi is a self-hosted file sharing server that supports automatic expiration and encryption. A registered user lacking the necessary permissions to create or modify file requests can generate a short-lived API key granting them those permissions. This issue impacts systems where no other users have access to the admin/upload menu. The API key allows unauthorized creation or modification of file requests.

Recommendations Update to version 2.2.3 or later.

Exploit

Fix

LPE

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2026-29060

GHSA-M2HX-WJXC-9FP4

GO-2026-4615

SUSE-SU-2026:1042-1

Affected Products

Gokapi

PT-2026-23604 · Gokapi · Gokapi

CVE-2026-29060

Weakness Enumeration

Related Identifiers

Affected Products

References · 139