Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.1
Gokapi Allows Users to Delete Other Users' Files
GHSA-j6jp-78w8-34x6
CVE-2026-30943
GHSA-j6jp-78w8-34x6
Summary
A security issue in Gokapi allows any user who can replace their own files and view others' uploads to delete any file uploaded by other users. This means that someone could delete important files uploaded by others. To protect your data, ensure that users only have the necessary permissions and that users with replace permissions are properly monitored.
What to do
- Update github.com forceu to version 2.2.4.
- Update forceu github.com/forceu/gokapi to version 2.2.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | forceu | <= 2.2.3 | 2.2.4 |
| forceu | github.com/forceu/gokapi | <= 2.2.4 | 2.2.4 |
Original title
Gokapi vulnerable to Privilege Escalation in File Replace
Original description
## Summary
An insufficient authorization check in the file replace API allows a user with only list visibility permission (`UserPermListOtherUploads`) to delete another user's file by abusing the `deleteNewFile` flag, bypassing the requirement for `UserPermDeleteOtherUploads`.
### Impact
Any authenticated user with `PERM_REPLACE` (replace own files) and `PERM_LIST` (view other users' uploads) can delete any other user's file without needing `PERM_DELETE`.
An insufficient authorization check in the file replace API allows a user with only list visibility permission (`UserPermListOtherUploads`) to delete another user's file by abusing the `deleteNewFile` flag, bypassing the requirement for `UserPermDeleteOtherUploads`.
### Impact
Any authenticated user with `PERM_REPLACE` (replace own files) and `PERM_LIST` (view other users' uploads) can delete any other user's file without needing `PERM_DELETE`.
ghsa CVSS3.1
4.1
Vulnerability type
CWE-863
Incorrect Authorization
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026