Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Gokapi File Uploads Can Bypass Size Limits
GHSA-45vh-rpc8-hxpp
CVE-2026-30961
GHSA-45vh-rpc8-hxpp
Summary
An attacker can upload large files using a shared file request link by splitting the file into smaller chunks. This can lead to unauthorized storage consumption, breach of administrative resource policies, and potential service disruption. If you use Gokapi, review your file upload settings and consider updating to a patched version to prevent this issue.
What to do
- Update github.com forceu to version 2.2.4.
- Update forceu github.com/forceu/gokapi to version 2.2.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | forceu | <= 2.2.3 | 2.2.4 |
| forceu | github.com/forceu/gokapi | <= 2.2.4 | 2.2.4 |
Original title
Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload
Original description
### Summary
The chunked upload completion path for file requests does not validate the total file size against the per-request `MaxSize` limit. An attacker with a public file request link can split an oversized file into chunks each under `MaxSize` and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global `MaxFileSizeMB` are accepted regardless of the file request's configured limit.
### Impact
Any guest with access to a shared file request link can upload files far larger than the administrator-configured size limit, up to the server's global `MaxFileSizeMB`. This allows unauthorized storage consumption, circumvention of administrative resource policies, and potential service disruption through storage exhaustion. No data exposure or privilege escalation occurs.
The chunked upload completion path for file requests does not validate the total file size against the per-request `MaxSize` limit. An attacker with a public file request link can split an oversized file into chunks each under `MaxSize` and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global `MaxFileSizeMB` are accepted regardless of the file request's configured limit.
### Impact
Any guest with access to a shared file request link can upload files far larger than the administrator-configured size limit, up to the server's global `MaxFileSizeMB`. This allows unauthorized storage consumption, circumvention of administrative resource policies, and potential service disruption through storage exhaustion. No data exposure or privilege escalation occurs.
ghsa CVSS3.1
4.3
Vulnerability type
CWE-20
Improper Input Validation
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026