Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
Gokapi file sharing server leaks sensitive file information
CVE-2026-28682
GHSA-c36c-7pc2-f2ph
GHSA-c36c-7pc2-f2ph
Summary
A previous version of Gokapi shared file details with anyone who could access the server, even if they weren't the file owner. This could have exposed sensitive information. To fix this, update to version 2.2.3 or later.
What to do
- Update github.com forceu to version 2.2.3.
- Update forceu github.com/forceu/gokapi to version 2.2.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | forceu | <= 2.2.3 | 2.2.3 |
| forceu | github.com/forceu/gokapi | <= 2.2.3 | 2.2.3 |
| forceu | gokapi | <= 2.2.3 | – |
Original title
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload s...
Original description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3.
nvd CVSS3.1
6.4
Vulnerability type
CWE-200
Information Exposure
CWE-284
Improper Access Control
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026