CVE-2026-28682
📋 TL;DR
This vulnerability in Gokapi's upload status SSE implementation allows authenticated users to see global upload state and file IDs from other users. It affects all Gokapi instances running versions before 2.2.3. The issue exposes sensitive file metadata across user boundaries.
💻 Affected Systems
- Gokapi
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attackers could enumerate all file uploads across the system, potentially accessing sensitive file metadata and identifiers that could be used in further attacks.
Likely Case
Authenticated users inadvertently or intentionally viewing other users' file upload statuses and file IDs, leading to information disclosure.
If Mitigated
With proper access controls and patching, users only see their own upload status and file IDs as intended.
🎯 Exploit Status
Exploitation requires authenticated access. The vulnerability is in the SSE endpoint logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.3
Vendor Advisory: https://github.com/Forceu/Gokapi/security/advisories/GHSA-c36c-7pc2-f2ph
Restart Required: Yes
Instructions:
1. Backup your Gokapi configuration and data. 2. Download Gokapi v2.2.3 from the official releases. 3. Replace the existing Gokapi binary with the new version. 4. Restart the Gokapi service.
🔧 Temporary Workarounds
Disable upload status endpoint
allTemporarily disable the vulnerable /uploadStatus SSE endpoint
Modify Gokapi configuration to disable SSE endpoints or block /uploadStatus at reverse proxy/load balancer
🧯 If You Can't Patch
- Restrict access to Gokapi to trusted users only using network segmentation or VPN
- Implement additional authentication layer or rate limiting for authenticated endpoints
🔍 How to Verify
Check if Vulnerable:
Check Gokapi version. If version is less than 2.2.3, the system is vulnerable.Check Version:
./gokapi --version or check the web interface footerVerify Fix Applied:
Verify Gokapi version is 2.2.3 or higher and test that authenticated users only see their own upload status.📡 Detection & Monitoring
Log Indicators:
- Multiple users accessing same file IDs
- Unusual patterns in /uploadStatus endpoint access
Network Indicators:
- SSE connections to /uploadStatus from multiple user sessions showing cross-user data
SIEM Query:
source="gokapi" AND (url_path="/uploadStatus" AND user_id!=file_owner_id)