{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29084", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T20:51:43.484Z", "datePublished": "2026-03-06T04:45:29.563Z", "dateUpdated": "2026-03-06T16:06:15.878Z"}, "containers": {"cna": {"title": "Gokapi: CSRF in Login Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4"}, {"name": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3"}], "affected": [{"vendor": "Forceu", "product": "Gokapi", "versions": [{"version": "< 2.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:45:29.563Z"}, "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation. This issue has been patched in version 2.2.3."}], "source": {"advisory": "GHSA-hcff-qv74-7hr4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T15:50:29.294858Z", "id": "CVE-2026-29084", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:06:15.878Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29084", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T20:51:43.484Z", "datePublished": "2026-03-06T04:45:29.563Z", "dateUpdated": "2026-03-06T16:06:15.878Z"}, "containers": {"cna": {"title": "Gokapi: CSRF in Login Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4"}, {"name": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3"}], "affected": [{"vendor": "Forceu", "product": "Gokapi", "versions": [{"version": "< 2.2.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T04:45:29.563Z"}, "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation. This issue has been patched in version 2.2.3."}], "source": {"advisory": "GHSA-hcff-qv74-7hr4", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29084", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T15:50:29.294858Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:50:30.378Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*", "matchCriteriaId": "8645BF69-6E20-4571-ABA4-A9C590D032C8", "versionEndExcluding": "2.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation. This issue has been patched in version 2.2.3."}, {"lang": "es", "value": "Gokapi es un servidor de intercambio de archivos autoalojado con expiraci\u00f3n autom\u00e1tica y soporte de cifrado. Antes de la versi\u00f3n 2.2.3, el flujo de inicio de sesi\u00f3n acepta solicitudes que contienen credenciales sin mecanismos de protecci\u00f3n CSRF vinculados al contexto de la sesi\u00f3n del navegador. El gestor analiza los valores del formulario directamente y crea una sesi\u00f3n tras la validaci\u00f3n exitosa de las credenciales. Este problema ha sido parcheado en la versi\u00f3n 2.2.3."}], "id": "CVE-2026-29084", "lastModified": "2026-03-09T18:53:50.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-06T05:16:41.180", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Gokapi", "source": "cna", "vendor": "Forceu"}, "product": "gokapi", "vendor": "forceu"}], "analysis": {"en": {"generated_at": "2026-04-16T11:34:48.860833+00:00", "value": {"mitigation_remediation": ["Upgrade Gokapi to version 2.2.3 or later to apply the CSRF protection fix.", "If an upgrade cannot be performed immediately, restrict or disable access to the login endpoint for untrusted hosts until the patch is applied.", "Ensure that login forms are protected by a CSRF token or otherwise enforce state\u2011changing request validation as a temporary measure."], "summary": {"action": "Patch", "impact": "Unauthorized session creation via CSRF"}, "threat_synthesis": {"affected_systems": "All deployments of Gokapi versions earlier than 2.2.3 are susceptible to this issue. The affected product is Forceu Gokapi as listed by the CNA, and any installation using any release older than 2.2.3 is impacted. The vulnerability is mitigated in the 2.2.3 release and later.", "description_and_impact": "Gokapi, a self-hosted file sharing server, has a CSRF vulnerability in its login endpoint that allows an attacker to create an authenticated session without the victim\u2019s knowledge. The flaw arises because the server accepts credential-bearing requests during the login flow without tying them to a browser session or CSRF token. Successfully exploited, this weakness can lead to unauthorized access to the attacker\u2019s account or a session that can be used to hijack subsequent operations. The weakness is categorized as CWE\u2011352, a form of input validation and context\u2011sensitive attack.", "risk_and_exploitability": "The CVSS base score of 4.6 indicates a moderate degree of risk, and the EPSS score of less than 1\u202f% reflects a very low likelihood of exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalogue. Attackers can exploit it via a crafted CSRF request sent from a compromised or malicious web page that a victim visits, exploiting the browser\u2019s cross\u2011origin request capability. No special prerequisites beyond user interaction are required, making the attack straightforward for a determined adversary."}}}}, "created": "2026-03-06T14:55:43.440690+00:00", "updated": "2026-04-16T11:45:26.262628+00:00", "vendors": ["forceu", "forceu$PRODUCT$gokapi"]}