CVE-2026-28682 Overview
CVE-2026-28682 is an information disclosure vulnerability in Gokapi, a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status Server-Sent Events (SSE) implementation on the /uploadStatus endpoint publishes global upload state to any authenticated listener. This includes file_id values that are not properly scoped to the requesting user, allowing authenticated users to access information about other users' file uploads.
Critical Impact
Authenticated users can enumerate and access file identifiers belonging to other users, potentially enabling unauthorized file access or targeted attacks against sensitive shared files.
Affected Products
- Forceu Gokapi versions prior to 2.2.3
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-28682 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-28682
Vulnerability Analysis
This vulnerability represents a classic Insecure Direct Object Reference (IDOR) combined with improper access control in the SSE implementation. The /uploadStatus endpoint was designed to provide real-time upload progress information to users, but the implementation fails to properly isolate user sessions. When an authenticated user subscribes to this endpoint, they receive upload status events for all users on the system, not just their own uploads.
The core issue stems from the broadcast nature of the SSE implementation, where the server publishes upload state globally rather than maintaining per-user event streams. This architectural flaw means that any authenticated user—regardless of their privilege level—can observe file_id values for files being uploaded by other users.
Root Cause
The root cause is improper access control (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) in the upload status SSE handler. The implementation lacks user-scoped filtering when broadcasting upload events, resulting in global visibility of file identifiers across all authenticated sessions. The /uploadStatus endpoint does not validate whether the upload events being transmitted belong to the requesting user's session.
Attack Vector
The attack vector is network-based, requiring low-privileged authenticated access to the Gokapi application. An attacker with valid credentials can connect to the /uploadStatus SSE endpoint and passively monitor all upload activity across the system. The exposed file_id values could potentially be used to construct direct download URLs for files belonging to other users, depending on the application's file access control implementation.
The vulnerability requires no user interaction and can be exploited by any authenticated user. While the attack complexity is low, the scope is changed because the vulnerable component (upload status endpoint) can affect resources beyond its security scope (other users' files).
Detection Methods for CVE-2026-28682
Indicators of Compromise
- Unusual patterns of SSE connections to /uploadStatus endpoint from single sessions
- Extended connection durations to the upload status endpoint without corresponding upload activity
- Multiple simultaneous connections from the same authenticated user to the SSE endpoint
- Access logs showing repeated queries to file download endpoints using enumerated file IDs
Detection Strategies
- Monitor web server access logs for abnormal connection patterns to /uploadStatus
- Implement rate limiting and connection duration monitoring for SSE endpoints
- Review application logs for access attempts to files that don't match the authenticated user's upload history
- Deploy web application firewall rules to detect SSE connection abuse patterns
Monitoring Recommendations
- Enable detailed logging for all SSE endpoint connections including client IP, session duration, and authentication context
- Set up alerts for single users maintaining multiple concurrent SSE connections
- Monitor for download attempts of files where the requesting user was not the original uploader
- Audit file access patterns to identify potential information harvesting behavior
How to Mitigate CVE-2026-28682
Immediate Actions Required
- Upgrade Gokapi to version 2.2.3 or later immediately
- Review access logs for signs of exploitation prior to patching
- Audit file access patterns to identify any unauthorized access to files using enumerated IDs
- Consider rotating or regenerating file IDs for sensitive shared files if exploitation is suspected
Patch Information
The vulnerability has been patched in Gokapi version 2.2.3. The patch implements proper user-scoped filtering for upload status events, ensuring that authenticated users only receive SSE events for their own uploads. Users should upgrade to this version as soon as possible.
For detailed patch information, refer to the Gokapi v2.2.3 Release and the GitHub Security Advisory GHSA-c36c-7pc2-f2ph.
Workarounds
- Restrict network access to the Gokapi instance to trusted users only until patching is possible
- Implement additional authentication layers or network segmentation to limit exposure
- Monitor and audit /uploadStatus endpoint access to detect potential abuse
- Consider temporarily disabling the upload status feature if the application supports it
# Upgrade Gokapi to patched version
# Download the latest release from GitHub
wget https://github.com/Forceu/Gokapi/releases/download/v2.2.3/gokapi-linux_amd64
# Stop the running Gokapi service
systemctl stop gokapi
# Replace the binary with the patched version
mv gokapi-linux_amd64 /usr/local/bin/gokapi
chmod +x /usr/local/bin/gokapi
# Restart the service
systemctl start gokapi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
