CVE-2026-29084

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.3

Description Gokapi, a self-hosted file sharing server, had a flaw in its login process. Before version 2.2.3, the login flow lacked CSRF protection, meaning credential-bearing requests weren’t properly linked to the user’s browser session. The system directly processed form values and established a session upon successful credential verification. This could allow an attacker to hijack a user's session if the attacker knows the credentials, potentially leading to user confusion and misuse of account access.

Recommendations Update to version 2.2.3 or later.