CVE-2026-29061 Overview
CVE-2026-29061 is a privilege escalation vulnerability in Gokapi, a self-hosted file sharing server with automatic expiration and encryption support. The vulnerability exists in the user rank demotion logic, where a demoted user's existing API keys retain ApiPermManageFileRequests and ApiPermManageLogs permissions even after the user has been stripped of all privileges. This allows continued unauthorized access to upload-request management and log viewing endpoints.
Critical Impact
Demoted users can retain administrative API capabilities, potentially accessing sensitive file upload requests and server logs after their privileges have been revoked.
Affected Products
- Forceu Gokapi versions prior to 2.2.3
Discovery Timeline
- 2026-03-06 - CVE-2026-29061 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-29061
Vulnerability Analysis
This privilege escalation vulnerability (CWE-284: Improper Access Control) occurs due to a flaw in how Gokapi handles API key permissions during user rank demotion. When an administrator demotes a user's rank or strips their privileges, the system fails to properly revoke or update the permissions associated with that user's existing API keys.
The vulnerability specifically affects two sensitive permission scopes: ApiPermManageFileRequests which controls upload-request management functionality, and ApiPermManageLogs which grants access to server log viewing endpoints. A malicious user who anticipates demotion could retain these API keys and continue to access privileged functionality after their user account has been demoted.
Root Cause
The root cause lies in the incomplete implementation of the user demotion workflow. When a user's rank is modified, the system updates the user record but fails to cascade those permission changes to the associated API keys. This creates a privilege persistence issue where the API keys become orphaned from the user's actual permission level, maintaining elevated access that should have been revoked.
Attack Vector
The attack vector is network-based and requires low privileges with user interaction. An attacker would need:
- An existing user account with elevated privileges in Gokapi
- One or more API keys with ApiPermManageFileRequests or ApiPermManageLogs permissions
- Knowledge or anticipation of an impending privilege demotion
Once demoted, the attacker can use their pre-existing API keys to continue accessing protected endpoints. This could enable unauthorized viewing of file upload requests (potentially containing sensitive data) and server logs (which may contain security-relevant information, user activity, and system details).
Detection Methods for CVE-2026-29061
Indicators of Compromise
- API requests to /api/fileRequests or log viewing endpoints from users whose accounts show reduced privileges
- Continued API key activity from accounts that have been recently demoted
- Discrepancies between user permission levels and API key access patterns in audit logs
Detection Strategies
- Implement monitoring for API key usage patterns, particularly after user permission changes
- Cross-reference user account privilege levels with API key activity to detect permission drift
- Audit all active API keys when user demotions occur to identify keys with elevated permissions
Monitoring Recommendations
- Enable detailed logging for all API endpoints, particularly those related to file request management and log viewing
- Set up alerts for API activity from recently demoted user accounts
- Regularly audit API key permissions against current user privilege levels
How to Mitigate CVE-2026-29061
Immediate Actions Required
- Upgrade Gokapi to version 2.2.3 or later immediately
- Manually revoke all API keys for any users who have been recently demoted
- Audit existing API keys for permissions that exceed their associated user's current privilege level
- Review access logs for any unauthorized access to file request management or log viewing endpoints
Patch Information
This vulnerability has been patched in Gokapi version 2.2.3. The fix ensures that API key permissions are properly synchronized when user ranks are modified. Upgrade information is available at the GitHub Gokapi Release v2.2.3 page. Additional details about the vulnerability are documented in the GitHub Security Advisory GHSA-q658-hfpg-35qc.
Workarounds
- Manually revoke and regenerate API keys for any users whose privileges have been reduced
- Implement a policy to delete all API keys when demoting user accounts until the patch can be applied
- Temporarily disable API key functionality if immediate patching is not possible
# After upgrading, verify your Gokapi version
gokapi --version
# Expected output: 2.2.3 or higher
# Review and revoke API keys for demoted users via the admin interface
# Navigate to Settings > API Keys and audit permissions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
