CVE-2026-29060 – In Gokapi versions before 2.2.3, registered use... (How to Fix)

Q: What is the severity of CVE-2026-29060?

CVE-2026-29060 has a CVSS score of 5.0 (MEDIUM). In Gokapi versions before 2.2.3, registered users without proper privileges can create short-lived API keys with elevated permissions to create or modify file requests. This affects all Gokapi instances with registered users, but only has impact if no admin/upload users exist.

📋 TL;DR

In Gokapi versions before 2.2.3, registered users without proper privileges can create short-lived API keys with elevated permissions to create or modify file requests. This affects all Gokapi instances with registered users, but only has impact if no admin/upload users exist.

💻 Affected Systems

Products:

Gokapi

Versions: All versions prior to 2.2.3

Operating Systems: All platforms running Gokapi

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user registration feature to be enabled and at least one registered user.

📦 What is this software?

Gokapi by Forceu

View all CVEs affecting Gokapi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users gain ability to create/modify file requests, potentially exposing sensitive files or disrupting file sharing operations.

🟠

Likely Case

Limited privilege escalation allowing unauthorized file request creation, but requires existing user registration.

🟢

If Mitigated

No impact if proper user privilege controls are enforced or if no admin/upload users exist.

🌐 Internet-Facing: MEDIUM - Exploitable if instance is internet-facing with user registration enabled, but requires authenticated user access.

🏢 Internal Only: MEDIUM - Similar risk internally, but attack surface is limited to authenticated users within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple API key creation with elevated permissions.

Exploitation requires authenticated user access and knowledge of API endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.3

Vendor Advisory: https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4

Restart Required: Yes

Instructions:

1. Backup your Gokapi configuration and data. 2. Download Gokapi v2.2.3 from GitHub releases. 3. Replace existing Gokapi installation with new version. 4. Restart the Gokapi service.

🔧 Temporary Workarounds

Disable user registration

all

Prevent new user registrations to eliminate attack vector.

Edit Gokapi configuration to disable user registration feature

Restrict API key creation

all

Implement access controls to limit API key creation to admin users only.

Configure Gokapi to require admin privileges for API key management

🧯 If You Can't Patch

Implement strict user privilege review and monitoring
Disable API key functionality for non-admin users

🔍 How to Verify

Check if Vulnerable:

Check Gokapi version - if version is less than 2.2.3, system is vulnerable.

Check Version:

Check Gokapi web interface or configuration file for version information

Verify Fix Applied:

Verify Gokapi version is 2.2.3 or higher after patching.

📡 Detection & Monitoring

Log Indicators:

Unauthorized API key creation events
File request creation from non-privileged users

Network Indicators:

API calls to create/modify file requests from unexpected user accounts

SIEM Query:

source="gokapi" AND (event="api_key_created" OR event="file_request_created") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2026-29060

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

CWE: CWE-284

Published: March 6, 2026

Last Updated: March 9, 2026

🔗 References

https://github.com/Forceu/Gokapi/releases/tag/v2.2.3 Release Notes
https://github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-29060, you might also want to check these: