CVE-2026-29060 Overview
CVE-2026-29060 is an improper access control vulnerability affecting Gokapi, a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. This authorization bypass allows lower-privileged users to escalate their capabilities within the application.
Critical Impact
Authenticated users can bypass authorization controls to create API keys with elevated file request permissions, potentially allowing unauthorized file sharing operations on affected Gokapi instances.
Affected Products
- Forceu Gokapi versions prior to 2.2.3
- Self-hosted Gokapi deployments with multiple registered users
- Gokapi instances where users exist without admin/upload menu access
Discovery Timeline
- 2026-03-06 - CVE-2026-29060 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-29060
Vulnerability Analysis
This vulnerability stems from improper access control (CWE-284) within Gokapi's API key generation functionality. The flaw allows authenticated users to bypass the intended authorization model by generating API keys with permissions that exceed their assigned role. Specifically, users who lack privileges to create or modify file requests can craft short-lived API keys that grant them these restricted capabilities.
The attack requires network access and an authenticated session on the Gokapi instance. While the attacker must be a registered user, no administrative privileges are required to exploit this flaw. The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component's security boundary, though the direct impact is limited to integrity violations without confidentiality or availability impact.
Root Cause
The root cause is an improper access control implementation in Gokapi's API key generation mechanism. The application fails to properly validate whether the requesting user has the necessary privileges before allowing them to create API keys with file request creation and modification permissions. This gap in the authorization logic allows registered users to effectively escalate their privileges through the generated API key.
Attack Vector
The attack is executed over the network and requires authenticated access to a Gokapi instance. An attacker with a valid user account can exploit this vulnerability by:
- Authenticating to the Gokapi instance with a standard user account
- Accessing the API key generation functionality
- Creating a short-lived API key with elevated file request permissions
- Using the generated API key to perform file request operations that would normally be restricted
The vulnerability mechanism involves the insufficient validation of user permissions during API key creation. When a user requests an API key, the system does not properly verify that the user's role authorizes them to create keys with file request permissions. For technical implementation details, refer to the GitHub Security Advisory GHSA-m2hx-wjxc-9fp4.
Detection Methods for CVE-2026-29060
Indicators of Compromise
- API key creation events from users without admin or upload menu privileges
- Unexpected file request creation or modification activities
- Audit log entries showing API key usage inconsistent with user role assignments
- Multiple short-lived API keys generated by non-privileged accounts
Detection Strategies
- Monitor API key generation endpoints for requests from users without elevated privileges
- Implement logging for all file request creation and modification operations and correlate with user permission levels
- Review authentication and authorization logs for patterns indicating privilege escalation attempts
- Deploy web application firewall rules to detect anomalous API key generation patterns
Monitoring Recommendations
- Enable comprehensive audit logging for all API key operations in Gokapi
- Set up alerts for API key creation events from accounts without admin privileges
- Monitor for file request operations originating from newly created API keys
- Regularly review user permission assignments and API key usage patterns
How to Mitigate CVE-2026-29060
Immediate Actions Required
- Upgrade Gokapi to version 2.2.3 or later immediately
- Audit existing API keys and revoke any suspicious or unauthorized keys
- Review user accounts and ensure proper privilege assignments
- Check file request logs for any unauthorized creation or modification activities
Patch Information
The vulnerability has been patched in Gokapi version 2.2.3. Users should upgrade to this version or later to remediate the vulnerability. The patch addresses the improper access control by implementing proper permission validation during API key generation.
For detailed patch information, see the GitHub Gokapi Release v2.2.3.
Workarounds
- If upgrading is not immediately possible, restrict user registration to trusted individuals only
- Remove access for users who do not require file sharing capabilities
- Consider temporarily disabling API key generation functionality if not essential to operations
- Implement network-level access controls to limit exposure of the Gokapi instance
# Verify Gokapi version after upgrade
./gokapi --version
# Expected output: 2.2.3 or higher
# Review and audit existing API keys
# Access the Gokapi admin panel and navigate to API key management
# Revoke any unauthorized or suspicious API keys
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
