CVE-2026-29084 Overview
CVE-2026-29084 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Gokapi, a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation, allowing attackers to potentially forge authenticated requests.
Critical Impact
Attackers can exploit the missing CSRF protection to forge login requests on behalf of authenticated users, potentially leading to unauthorized session creation and account compromise in self-hosted file sharing environments.
Affected Products
- Forceu Gokapi versions prior to 2.2.3
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-29084 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-29084
Vulnerability Analysis
This vulnerability stems from insufficient CSRF protection in the authentication mechanism of Gokapi. The login endpoint processes credential-bearing requests without validating that the request originated from the legitimate application context. When a user submits login credentials, the handler directly parses form values and creates a session upon successful validation without verifying a CSRF token tied to the browser session.
The impact allows an attacker to construct malicious web pages or links that, when visited by a victim who is already authenticated or about to authenticate, could submit forged requests to the Gokapi server. This could lead to unauthorized session creation, credential manipulation, or other authentication-related attacks.
Root Cause
The root cause is the absence of CSRF protection mechanisms in the login flow. The authentication handler accepts and processes credential-bearing POST requests without requiring or validating anti-CSRF tokens. This allows cross-origin requests to be processed as if they were legitimate user actions, as the server has no mechanism to distinguish between requests initiated by the user through the legitimate interface versus requests forged by a malicious third-party site.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker must craft a malicious webpage containing a form or script that automatically submits a login request to the victim's Gokapi instance. When an authenticated user visits the attacker's page, the forged request is sent to the Gokapi server with the user's existing session cookies, potentially allowing the attacker to manipulate the authentication state.
The vulnerability is exploited by hosting a malicious HTML page that contains a hidden form targeting the Gokapi login endpoint. When a victim with an active session visits this page, JavaScript or an auto-submitting form sends the forged credentials to the server. Since no CSRF token validation exists, the server processes this request as legitimate. For detailed technical information, refer to the GitHub Security Advisory GHSA-hcff-qv74-7hr4.
Detection Methods for CVE-2026-29084
Indicators of Compromise
- Unusual login attempts originating from external referrer URLs that do not match the legitimate Gokapi application domain
- Session creation events with suspicious HTTP Referer headers pointing to external websites
- Multiple rapid authentication requests from the same IP address with varying credentials
Detection Strategies
- Monitor web server logs for login POST requests that contain unusual or external Referer headers
- Implement web application firewall (WAF) rules to detect cross-origin authentication requests lacking proper CSRF tokens
- Review authentication logs for patterns indicating automated or forged request submissions
Monitoring Recommendations
- Enable detailed logging for all authentication endpoints including full HTTP headers
- Configure alerting for login attempts with missing or invalid Origin/Referer headers
- Implement anomaly detection for authentication patterns that deviate from normal user behavior
How to Mitigate CVE-2026-29084
Immediate Actions Required
- Upgrade Gokapi to version 2.2.3 or later immediately
- Review authentication logs for any suspicious login activity that may have occurred prior to patching
- Ensure all user sessions are invalidated and users are required to re-authenticate after the upgrade
Patch Information
The vulnerability has been patched in Gokapi version 2.2.3. The fix implements proper CSRF protection mechanisms for the login flow, ensuring that credential-bearing requests are validated against browser session context. Users should upgrade to this version or later to remediate the vulnerability. The patched release is available at the Gokapi v2.2.3 Release page.
Workarounds
- Deploy a reverse proxy with CSRF protection capabilities in front of the Gokapi instance
- Implement network-level access controls to restrict access to the login endpoint from trusted networks only
- Enable additional authentication factors if supported to reduce the impact of potential CSRF attacks
# Example: Restrict access to Gokapi login using nginx
location /login {
# Only allow requests from same origin
if ($http_referer !~* "^https://your-gokapi-domain\.com") {
return 403;
}
proxy_pass http://localhost:53842;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
