CVE-2026-29061
Privilege Escalation in Gokapi API Key Permission Handling
Publication date: 2026-03-06
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| forceu | gokapi | to 2.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-29061 is a moderate severity privilege escalation vulnerability in the Gokapi file sharing server versions prior to 2.2.3. The issue occurs because when a user's rank is demoted, their existing API keys do not have their permissions properly revoked. Specifically, API keys retain permissions to manage upload requests and view logs even after the user has lost all other privileges."}, {'type': 'paragraph', 'content': 'This means that a demoted user can still remotely create, list, and delete upload requests and read application logs and system status, despite no longer having the appropriate rank or privileges.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows a demoted user to retain elevated API permissions, enabling continued access to sensitive functions such as managing file upload requests and viewing logs.
- Unauthorized management of upload requests (create, list, delete)
- Unauthorized access to application logs and system status information
The impact includes a low loss of confidentiality and integrity, as sensitive information could be exposed or modified by users who should no longer have such access. However, availability is not affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying API keys that retain elevated permissions (ApiPermManageFileRequests and ApiPermManageLogs) despite the associated user being demoted. Specifically, you should audit API keys for users who no longer have admin or elevated ranks but whose keys still allow managing upload requests and viewing logs.
Since the vulnerability involves improper permission revocation on API keys, detection involves querying the system or database for API keys with these permissions and cross-referencing the current user rank.
Suggested commands or steps might include:
- Query the API key database or configuration to list all API keys with ApiPermManageFileRequests and ApiPermManageLogs permissions.
- Check the current rank or privilege level of the users associated with those API keys.
- Identify any API keys that have these permissions but belong to users who have been demoted or stripped of privileges.
- If Gokapi provides an API or CLI tool, use it to list API keys and their permissions, for example, a command like `gokapi-cli api-keys list --permissions ApiPermManageFileRequests,ApiPermManageLogs` (hypothetical).
Note: The exact commands depend on your Gokapi setup and available tools; the vulnerability description and advisory do not provide specific detection commands.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Gokapi to version 2.2.3 or later, where this privilege escalation vulnerability has been patched.
If upgrading immediately is not possible, you should manually audit and revoke API keys that retain elevated permissions (ApiPermManageFileRequests and ApiPermManageLogs) for users who have been demoted.
Additionally, review and tighten access control policies to ensure that API keys are properly revoked or updated when user privileges change.