CVE-2026-29060
Received Received - Intake
Privilege Escalation via API Key in Gokapi File Server

Publication date: 2026-03-06

Last updated on: 2026-03-09

Assigner: GitHub, Inc.

Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29060
EUVD
EUVD-2026-9998
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
forceu gokapi to 2.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29060 is a moderate severity privilege escalation vulnerability in the Gokapi file sharing server versions prior to 2.2.3.

It allows a registered user who normally does not have privileges to create or modify file requests to generate a short-lived API key that grants these elevated permissions.

This happens due to improper access control, meaning the system fails to properly restrict access to certain actions from unauthorized users.

The vulnerability can be exploited remotely over the network with low complexity and does not require any user interaction.

If no users have access to the admin/upload menu, the vulnerability has no impact.

The issue was fixed in Gokapi version 2.2.3.

Impact Analysis

This vulnerability can allow a registered user without proper privileges to temporarily gain the ability to create or modify file requests by generating a short-lived API key.

While it does not affect confidentiality or integrity, it can impact availability by allowing unauthorized changes to file requests.

If your system has users with access to the admin/upload menu, this vulnerability could be exploited to disrupt normal operations.

If no users have such access, the vulnerability does not have an impact.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Gokapi to version 2.2.3 or later, where the issue has been patched.

Additionally, ensure that there are users with access to the admin/upload menu, as the vulnerability has no impact if no users have such access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29060. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart