CVE-2026-30943 MEDIUM

CVE-2026-30943: Gokapi has Privilege Escalation in File Replace

Vendor Forceu
Product Gokapi
Weakness CWE-863 · Incorrect authorization
Published March 13, 2026
Last update March 13, 2026

CVSS base score

4.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads. This vulnerability is fixed in 2.2.4.

Key dates

02Disclosure timeline

March 13, 2026 CVE published
March 13, 2026 Record updated