CVE-2026-30943

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.4

Description Gokapi is a self-hosted file sharing server. An authorization flaw in the file replace API allows a user with list visibility permission (UserPermListOtherUploads) to delete another user's file by manipulating the deleteNewFile flag, circumventing the UserPermDeleteOtherUploads requirement. Any authenticated user possessing PERM REPLACE and PERM LIST permissions can delete files belonging to other users without needing PERM DELETE permission.

Recommendations Update Gokapi to version 2.2.4 or later.