CVE-2026-30961
Received Received - Intake
Chunked Upload Bypass in Gokapi Allows Oversized File Uploads

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global MaxFileSizeMB are accepted regardless of the file request's configured limit. This vulnerability is fixed in 2.2.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30961
EUVD
EUVD-2026-12080
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
forceu gokapi to 2.2.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30961 is a vulnerability in the Gokapi file sharing server (versions up to 2.2.3) where the system does not properly validate the total size of a file uploaded in chunks against the configured maximum size limit for that file request.'}, {'type': 'paragraph', 'content': "An attacker with access to a public file request link can bypass the size restriction by splitting an oversized file into multiple smaller chunks, each under the per-request MaxSize limit, and upload them sequentially. This allows uploading files larger than intended, up to the server's global maximum file size limit."}, {'type': 'paragraph', 'content': 'The vulnerability is due to improper input validation in the chunked upload completion path and was fixed in version 2.2.4.'}] [1]

Impact Analysis

This vulnerability allows an attacker with a public file request link to upload files larger than the administrator-configured size limit by bypassing the per-request MaxSize restriction.

The impact includes unauthorized consumption of storage resources, circumvention of administrative policies, and potential service disruption due to storage exhaustion.

However, it does not lead to data exposure, privilege escalation, or compromise confidentiality or integrity. The main impact is on availability with a low severity rating.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves an attacker uploading oversized files by splitting them into chunks smaller than the configured MaxSize limit and uploading them sequentially via a public file request link.

To detect exploitation attempts on your network or system, you should monitor file upload requests for unusual patterns such as multiple sequential chunked uploads that cumulatively exceed the configured per-request MaxSize limit.

Specifically, you can analyze server logs or network traffic for repeated chunked upload requests from the same source or file request link that together exceed the expected size limits.

While no specific commands are provided in the resources, typical approaches include using log analysis tools (e.g., grep, awk) to search for multiple chunked upload entries and network monitoring tools (e.g., tcpdump, Wireshark) to inspect upload traffic patterns.

Mitigation Strategies

The primary mitigation step is to upgrade Gokapi to version 2.2.4 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, consider restricting access to public file request links or monitoring and limiting chunked upload activity to prevent abuse.

Additionally, review and enforce global MaxFileSizeMB limits and per-request MaxSize configurations carefully to reduce the risk of storage exhaustion.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30961. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart