{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29060", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.244Z", "datePublished": "2026-03-06T04:44:55.534Z", "dateUpdated": "2026-03-06T16:06:32.551Z"}, "containers": {"cna": {"title": "Gokapi: Privilege escalation with auth token", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4"}, {"name": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3"}], "affected": [{"vendor": "Forceu", "product": "Gokapi", "versions": [{"version": "< 2.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:44:55.534Z"}, "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3."}], "source": {"advisory": "GHSA-m2hx-wjxc-9fp4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T15:50:33.418119Z", "id": "CVE-2026-29060", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:06:32.551Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29060", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T15:50:33.418119Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:50:34.463Z"}}], "cna": {"title": "Gokapi: Privilege escalation with auth token", "source": {"advisory": "GHSA-m2hx-wjxc-9fp4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Forceu", "product": "Gokapi", "versions": [{"status": "affected", "version": "< 2.2.3"}]}], "references": [{"url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4", "name": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "name": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:44:55.534Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29060", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:06:32.551Z", "dateReserved": "2026-03-03T17:50:11.244Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T04:44:55.534Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*", "matchCriteriaId": "8645BF69-6E20-4571-ABA4-A9C590D032C8", "versionEndExcluding": "2.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3."}, {"lang": "es", "value": "Gokapi es un servidor de intercambio de archivos autoalojado con soporte para expiraci\u00f3n autom\u00e1tica y cifrado. Antes de la versi\u00f3n 2.2.3, un usuario registrado sin privilegios para crear o modificar solicitudes de archivos puede crear una clave API de corta duraci\u00f3n que tiene permiso para hacerlo. El usuario debe estar registrado en Gokapi. Si no hay usuarios con acceso al men\u00fa de administraci\u00f3n/carga, no hay impacto. Este problema ha sido parcheado en la versi\u00f3n 2.2.3."}], "id": "CVE-2026-29060", "lastModified": "2026-03-09T18:52:32.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-06T05:16:40.620", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Gokapi", "source": "cna", "vendor": "Forceu"}, "product": "gokapi", "vendor": "forceu"}], "analysis": {"en": {"generated_at": "2026-04-16T11:35:41.225383+00:00", "value": {"mitigation_remediation": ["Upgrade Gokapi to version 2.2.3 or later to apply the vendor patch that removes the privilege escalation path.", "Restrict or disable the ability for users without request\u2011management privileges to generate API keys that include create/modify permissions.", "Re\u2011evaluate and enforce access controls on the admin/upload menu and API token scopes to ensure only authorized users can create or modify file requests."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation via unauthorized API key creation"}, "threat_synthesis": {"affected_systems": "Forceu Gokapi servers running any version before 2.2.3 are affected. The issue is resolved in version 2.2.3 and newer. No impact exists if no users have access to the admin/upload menu.", "description_and_impact": "A registered user who normally cannot create or modify file requests can generate a short\u2011lived API key that grants those privileges. The key is valid for a limited period, but during that time it allows the user to create or alter file requests, potentially exposing sensitive files or bypassing workflow controls. The weakness corresponds to improper privilege handling (CWE\u2011284).", "risk_and_exploitability": "The CVSS score of 5 indicates moderate risk, while an EPSS score of less than 1% suggests a very low yet non\u2011zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a legitimate registered account and involves creating an API key; the attack vector is likely local or web\u2011based via the Gokapi API."}}}}, "created": "2026-03-06T14:55:45.185537+00:00", "updated": "2026-04-16T11:45:26.263651+00:00", "vendors": ["forceu", "forceu$PRODUCT$gokapi"]}