CVE-2026-28682
Information Disclosure in Gokapi UploadStatus SSE Exposes File IDs
Publication date: 2026-03-06
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| forceu | gokapi | to 2.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28682 is a moderate severity vulnerability affecting Gokapi versions prior to 2.2.3. The issue is in the Server-Sent Events (SSE) implementation of the upload status stream at the /uploadStatus endpoint.
This implementation publishes the global upload state to any authenticated listener but improperly includes file_id values that are not scoped to the requesting user.
As a result, any authenticated user can see file identifiers belonging to other users, leading to unauthorized access to content and cross-tenant data exposure.
This causes a loss of confidentiality for uploaded documents and is classified under improper access control (CWE-284).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the Server-Sent Events (SSE) implementation on the /uploadStatus endpoint of Gokapi versions prior to 2.2.3. Detection involves monitoring network traffic or making authenticated requests to the /uploadStatus SSE stream to check if file_id values from other users are exposed.'}, {'type': 'paragraph', 'content': 'A practical approach is to use tools like curl or wget to connect to the SSE endpoint with an authenticated user and observe if file_id values belonging to other users are present in the stream.'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <token>" https://<gokapi-server>/uploadStatus'}, {'type': 'list_item', 'content': 'Observe the output for file_id values that do not belong to the authenticated user, indicating exposure.'}, {'type': 'paragraph', 'content': 'Network monitoring tools or packet capture utilities (e.g., tcpdump, Wireshark) can also be used to inspect SSE traffic for unauthorized file_id exposure.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to observe file identifiers of other users, which can lead to unauthorized access to sensitive or private files.
Such unauthorized access results in a loss of confidentiality and potential exposure of sensitive data across different tenants or users.
The attack can be performed remotely over the network with low complexity and requires only low privileges without user interaction.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Gokapi to version 2.2.3 or later, where this vulnerability has been patched.
Until the upgrade can be performed, restrict access to the /uploadStatus SSE endpoint to trusted users only, and monitor authenticated sessions for suspicious access patterns.
Additionally, review and tighten access controls and authentication mechanisms to minimize the risk of unauthorized users accessing sensitive upload status information.
Users are strongly advised to update to v2.2.3 especially in multi-user environments to prevent cross-tenant data exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know