CVE-2026-29084
📋 TL;DR
CVE-2026-29084 is a Cross-Site Request Forgery (CSRF) vulnerability in Gokapi self-hosted file sharing server that allows attackers to trick authenticated users into performing unintended login actions. This affects all Gokapi instances running versions before 2.2.3. Attackers could potentially force users to authenticate with attacker-controlled credentials.
💻 Affected Systems
- Gokapi
📦 What is this software?
Gokapi by Forceu
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack user sessions by forcing authentication with attacker-controlled credentials, potentially gaining unauthorized access to file sharing functionality and sensitive data.
Likely Case
Attackers could perform session fixation attacks or force users to authenticate with compromised credentials, leading to unauthorized access to the Gokapi interface.
If Mitigated
With proper CSRF protections and user awareness, the risk is limited to targeted attacks requiring user interaction with malicious content.
🎯 Exploit Status
Exploitation requires the victim to be tricked into visiting a malicious website while having an active session or being logged into Gokapi. No authentication is required to initiate the attack, but user interaction is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.3
Vendor Advisory: https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4
Restart Required: Yes
Instructions:
1. Backup your Gokapi configuration and data. 2. Download Gokapi version 2.2.3 from the official releases. 3. Replace the existing Gokapi installation with the new version. 4. Restart the Gokapi service. 5. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Implement CSRF Protection Proxy
allDeploy a reverse proxy or web application firewall that adds CSRF tokens to login requests
# Configure nginx with CSRF protection module
# or use WAF rules to validate session tokens
Restrict Access
linuxLimit Gokapi access to trusted networks only using firewall rules
iptables -A INPUT -p tcp --dport [GOKAPI_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [GOKAPI_PORT] -j DROP
🧯 If You Can't Patch
- Deploy Gokapi behind a reverse proxy with CSRF protection enabled
- Implement network segmentation to restrict Gokapi access to internal networks only
🔍 How to Verify
Check if Vulnerable:
Check Gokapi version via web interface or configuration file. If version is below 2.2.3, the system is vulnerable.Check Version:
Check the version.txt file in Gokapi installation directory or view the version in the web interface footer.Verify Fix Applied:
After updating, verify the version shows 2.2.3 or higher in the web interface or configuration.📡 Detection & Monitoring
Log Indicators:
- Multiple login attempts from same IP with different user agents
- Login requests missing referrer headers or CSRF tokens
Network Indicators:
- HTTP POST requests to /login endpoint without proper referrer headers
- Cross-origin requests to Gokapi login endpoint
SIEM Query:
source="gokapi.log" AND (uri_path="/login" AND http_method="POST") AND NOT (http_referer CONTAINS "gokapi")