Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-29061 is a moderate severity privilege escalation vulnerability in the Gokapi file sharing server versions prior to 2.2.3. The issue occurs because when a user's rank is demoted, their existing API keys do not have their permissions properly revoked. Specifically, API keys retain permissions to manage upload requests and view logs even after the user has lost all other privileges."}, {'type': 'paragraph', 'content': 'This means that a demoted user can still remotely create, list, and delete upload requests and read application logs and system status, despite no longer having the appropriate rank or privileges.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a demoted user to retain elevated API permissions, enabling continued access to sensitive functions such as managing file upload requests and viewing logs.

• Unauthorized management of upload requests (create, list, delete)
• Unauthorized access to application logs and system status information

The impact includes a low loss of confidentiality and integrity, as sensitive information could be exposed or modified by users who should no longer have such access. However, availability is not affected.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying API keys that retain elevated permissions (ApiPermManageFileRequests and ApiPermManageLogs) despite the associated user being demoted. Specifically, you should audit API keys for users who no longer have admin or elevated ranks but whose keys still allow managing upload requests and viewing logs.

Since the vulnerability involves improper permission revocation on API keys, detection involves querying the system or database for API keys with these permissions and cross-referencing the current user rank.

Suggested commands or steps might include:

• Query the API key database or configuration to list all API keys with ApiPermManageFileRequests and ApiPermManageLogs permissions.
• Check the current rank or privilege level of the users associated with those API keys.
• Identify any API keys that have these permissions but belong to users who have been demoted or stripped of privileges.
• If Gokapi provides an API or CLI tool, use it to list API keys and their permissions, for example, a command like `gokapi-cli api-keys list --permissions ApiPermManageFileRequests,ApiPermManageLogs` (hypothetical).

Note: The exact commands depend on your Gokapi setup and available tools; the vulnerability description and advisory do not provide specific detection commands.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Gokapi to version 2.2.3 or later, where this privilege escalation vulnerability has been patched.

If upgrading immediately is not possible, you should manually audit and revoke API keys that retain elevated permissions (ApiPermManageFileRequests and ApiPermManageLogs) for users who have been demoted.

Additionally, review and tighten access control policies to ensure that API keys are properly revoked or updated when user privileges change.

Useful 0 Not Useful 0