Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.0
Gokapi File Sharing Server: Unprivileged Users Can Create API Keys
CVE-2026-29060
GHSA-m2hx-wjxc-9fp4
GHSA-m2hx-wjxc-9fp4
Summary
A registered user without permission to upload files can create a temporary API key that allows them to upload files. This could allow unauthorized users to upload files to your server. Update to version 2.2.3 to fix this issue.
What to do
- Update github.com forceu to version 2.2.3.
- Update forceu github.com/forceu/gokapi to version 2.2.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | forceu | <= 2.2.3 | 2.2.3 |
| forceu | github.com/forceu/gokapi | <= 2.2.3 | 2.2.3 |
| forceu | gokapi | <= 2.2.3 | – |
Original title
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able ...
Original description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3.
nvd CVSS3.1
5.0
Vulnerability type
CWE-284
Improper Access Control
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026