← volver
CVE-2026-29061

Gokapi: Privilege escalation via incomplete API-key permission revocation on user rank demotion

CVSS 5.4 MEDIUMEPSS 0.1%CWE-284
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. This issue has been patched in version 2.2.3.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Productos afectados
Forceu · Gokapi

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/Forceu/Gokapi/releases/tag/v2.2.3https://github.com/Forceu/Gokapi/security/advisories/GHSA-q658-hfpg-35qc