CVE-2026-30961
Chunked Upload Bypass in Gokapi Allows Oversized File Uploads
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| forceu | gokapi | to 2.2.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30961 is a vulnerability in the Gokapi file sharing server (versions up to 2.2.3) where the system does not properly validate the total size of a file uploaded in chunks against the configured maximum size limit for that file request.'}, {'type': 'paragraph', 'content': "An attacker with access to a public file request link can bypass the size restriction by splitting an oversized file into multiple smaller chunks, each under the per-request MaxSize limit, and upload them sequentially. This allows uploading files larger than intended, up to the server's global maximum file size limit."}, {'type': 'paragraph', 'content': 'The vulnerability is due to improper input validation in the chunked upload completion path and was fixed in version 2.2.4.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker with a public file request link to upload files larger than the administrator-configured size limit by bypassing the per-request MaxSize restriction.
The impact includes unauthorized consumption of storage resources, circumvention of administrative policies, and potential service disruption due to storage exhaustion.
However, it does not lead to data exposure, privilege escalation, or compromise confidentiality or integrity. The main impact is on availability with a low severity rating.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an attacker uploading oversized files by splitting them into chunks smaller than the configured MaxSize limit and uploading them sequentially via a public file request link.
To detect exploitation attempts on your network or system, you should monitor file upload requests for unusual patterns such as multiple sequential chunked uploads that cumulatively exceed the configured per-request MaxSize limit.
Specifically, you can analyze server logs or network traffic for repeated chunked upload requests from the same source or file request link that together exceed the expected size limits.
While no specific commands are provided in the resources, typical approaches include using log analysis tools (e.g., grep, awk) to search for multiple chunked upload entries and network monitoring tools (e.g., tcpdump, Wireshark) to inspect upload traffic patterns.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Gokapi to version 2.2.4 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, consider restricting access to public file request links or monitoring and limiting chunked upload activity to prevent abuse.
Additionally, review and enforce global MaxFileSizeMB limits and per-request MaxSize configurations carefully to reduce the risk of storage exhaustion.