CVE-2026-29060 MEDIUM

CVE-2026-29060: Gokapi: Privilege escalation with auth token

Vendor Forceu

Product Gokapi

Weakness CWE-284

Published March 6, 2026

Last update March 6, 2026

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

What the vulnerability does

01Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If there are no users with access to the admin/upload menu, there is no impact. This issue has been patched in version 2.2.3.

Key dates

02Disclosure timeline

March 6, 2026 CVE published

March 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-29060

Related vulnerabilities

CVE-2026-29060: Gokapi: Privilege escalation with auth token

01Description

02Disclosure timeline

03References

04Related CVE