{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28682", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-02T21:43:19.927Z", "datePublished": "2026-03-06T04:43:59.708Z", "dateUpdated": "2026-03-06T16:06:54.309Z"}, "containers": {"cna": {"title": "Gokapi: Data Leak in Upload Status Stream", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-c36c-7pc2-f2ph", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-c36c-7pc2-f2ph"}, {"name": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3"}], "affected": [{"vendor": "Forceu", "product": "Gokapi", "versions": [{"version": "< 2.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:43:59.708Z"}, "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3."}], "source": {"advisory": "GHSA-c36c-7pc2-f2ph", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T15:50:35.457455Z", "id": "CVE-2026-28682", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:06:54.309Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28682", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T15:50:35.457455Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:50:36.498Z"}}], "cna": {"title": "Gokapi: Data Leak in Upload Status Stream", "source": {"advisory": "GHSA-c36c-7pc2-f2ph", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Forceu", "product": "Gokapi", "versions": [{"status": "affected", "version": "< 2.2.3"}]}], "references": [{"url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-c36c-7pc2-f2ph", "name": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-c36c-7pc2-f2ph", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "name": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:43:59.708Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28682", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:06:54.309Z", "dateReserved": "2026-03-02T21:43:19.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:43:59.708Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*", "matchCriteriaId": "8645BF69-6E20-4571-ABA4-A9C590D032C8", "versionEndExcluding": "2.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3."}, {"lang": "es", "value": "Gokapi es un servidor de intercambio de archivos autoalojado con expiraci\u00f3n autom\u00e1tica y soporte de cifrado. Antes de la versi\u00f3n 2.2.3, la implementaci\u00f3n SSE del estado de carga en /uploadStatus publica el estado de carga global a cualquier oyente autenticado e incluye valores de file_id que no est\u00e1n acotados al usuario solicitante. Este problema ha sido parcheado en la versi\u00f3n 2.2.3."}], "id": "CVE-2026-28682", "lastModified": "2026-03-09T18:50:41.013", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-06T05:16:38.130", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-c36c-7pc2-f2ph"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Gokapi", "source": "cna", "vendor": "Forceu"}, "product": "gokapi", "vendor": "forceu"}], "analysis": {"en": {"generated_at": "2026-04-16T11:36:16.591566+00:00", "value": {"mitigation_remediation": ["Upgrade Gokapi to version 2.2.3 or later, which removes the global upload state exposure.", "If an immediate upgrade is not possible, limit access to the /uploadStatus SSE endpoint by enforcing stricter authentication or ACL rules so that only the uploading user or an administrator can subscribe to the stream.", "Monitor application logs for unexpected or repeated upload\u2011status requests from users that are not the owners of the listed files, and investigate any anomalous patterns."], "summary": {"action": "Patch", "impact": "Confidentiality Breach (Data Exposure)"}, "threat_synthesis": {"affected_systems": "Any installation of Forceu Gokapi that runs a version earlier than 2.2.3 is affected. The vulnerability became known after release of v2.2.3 and is absent in all later releases. No other products or vendors are listed as affected.", "description_and_impact": "The vulnerability lies in the server\u2011side event (SSE) implementation used to stream upload status to any authenticated client. The stream publishes a global set of upload records, including the identifier of every file in the system, regardless of the requesting user\u2019s ownership. A logged\u2011in attacker or a benign user could therefore observe file identifiers belonging to other users, potentially revealing the existence of files they should not access. This flaw is a classic information\u2011disclosure weakness and also violates proper access control, as evidenced by the CWE\u2011200 and CWE\u2011284 classifications.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score is reported as less than 1%, implying that exploitation is unlikely at this time, and the vulnerability is not present in CISA\u2019s Known Exploited Vulnerabilities catalog. However, because the attack requires an authenticated session, an attacker could leverage this to enumerate files among users of a shared deployment, which can assist in planning further attacks or in data exfiltration. The risk is therefore moderate but mitigated by the low likelihood of public exploitation."}}}}, "created": "2026-03-06T14:55:46.839384+00:00", "updated": "2026-04-16T11:45:26.264560+00:00", "vendors": ["forceu", "forceu$PRODUCT$gokapi"]}