Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Gokapi Server: Demoted User Can Still Access Sensitive Features
CVE-2026-29061
GHSA-q658-hfpg-35qc
GHSA-q658-hfpg-35qc
Summary
A security issue in older versions of the Gokapi file sharing server allowed a user who was demoted in rank to still access certain sensitive features. This could have led to unauthorized access to sensitive areas of the server. Update to version 2.2.3 or later to fix this issue.
What to do
- Update github.com forceu to version 2.2.3.
- Update forceu github.com/forceu/gokapi to version 2.2.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | forceu | <= 2.2.3 | 2.2.3 |
| forceu | github.com/forceu/gokapi | <= 2.2.3 | 2.2.3 |
| forceu | gokapi | <= 2.2.3 | – |
Original title
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a d...
Original description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. This issue has been patched in version 2.2.3.
nvd CVSS3.1
5.4
Vulnerability type
CWE-284
Improper Access Control
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026