CVE-2026-29061

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.3

Description Gokapi is a self-hosted file sharing server that includes automatic expiration and encryption support. A flaw in the user rank demotion logic allows a demoted user’s existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions. This enables continued access to upload-request management and log viewing endpoints even after the user has been stripped of all privileges. Specifically, any user who previously held Admin rank and had API keys with ApiPermManageFileRequests or ApiPermManageLogs retains those capabilities after demotion. This allows offboarded or demoted users to create, list, and delete upload requests, and to read application logs and system status. The affected API endpoints include those for managing upload requests and viewing logs.

Recommendations Update to version 2.2.3 or later.