CVE-2026-28682
Received Received - Intake
Information Disclosure in Gokapi UploadStatus SSE Exposes File IDs

Publication date: 2026-03-06

Last updated on: 2026-03-09

Assigner: GitHub, Inc.

Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28682
EUVD
EUVD-2026-9992
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
forceu gokapi to 2.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows any authenticated user to observe file identifiers of other users, which can lead to unauthorized access to sensitive or private files.

Such unauthorized access results in a loss of confidentiality and potential exposure of sensitive data across different tenants or users.

The attack can be performed remotely over the network with low complexity and requires only low privileges without user interaction.

Compliance Impact

I don't know

Executive Summary

CVE-2026-28682 is a moderate severity vulnerability affecting Gokapi versions prior to 2.2.3. The issue is in the Server-Sent Events (SSE) implementation of the upload status stream at the /uploadStatus endpoint.

This implementation publishes the global upload state to any authenticated listener but improperly includes file_id values that are not scoped to the requesting user.

As a result, any authenticated user can see file identifiers belonging to other users, leading to unauthorized access to content and cross-tenant data exposure.

This causes a loss of confidentiality for uploaded documents and is classified under improper access control (CWE-284).

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the Server-Sent Events (SSE) implementation on the /uploadStatus endpoint of Gokapi versions prior to 2.2.3. Detection involves monitoring network traffic or making authenticated requests to the /uploadStatus SSE stream to check if file_id values from other users are exposed.'}, {'type': 'paragraph', 'content': 'A practical approach is to use tools like curl or wget to connect to the SSE endpoint with an authenticated user and observe if file_id values belonging to other users are present in the stream.'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <token>" https://<gokapi-server>/uploadStatus'}, {'type': 'list_item', 'content': 'Observe the output for file_id values that do not belong to the authenticated user, indicating exposure.'}, {'type': 'paragraph', 'content': 'Network monitoring tools or packet capture utilities (e.g., tcpdump, Wireshark) can also be used to inspect SSE traffic for unauthorized file_id exposure.'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade Gokapi to version 2.2.3 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict access to the /uploadStatus SSE endpoint to trusted users only, and monitor authenticated sessions for suspicious access patterns.

Additionally, review and tighten access controls and authentication mechanisms to minimize the risk of unauthorized users accessing sensitive upload status information.

Users are strongly advised to update to v2.2.3 especially in multi-user environments to prevent cross-tenant data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28682. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart