CVE-2026-30961 Overview
CVE-2026-30961 is a Resource Exhaustion vulnerability in Gokapi, a self-hosted file sharing server with automatic expiration and encryption support. The vulnerability exists in versions prior to 2.2.4 where the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. This flaw allows attackers to bypass configured file size restrictions by splitting oversized files into smaller chunks.
Critical Impact
Attackers with access to a public file request link can upload files exceeding the configured size limit, potentially exhausting server storage resources and bypassing administrative controls designed to limit file sizes.
Affected Products
- Forceu Gokapi versions prior to 2.2.4
- All deployments using public file request links with MaxSize limits configured
- Self-hosted Gokapi instances with chunked upload functionality enabled
Discovery Timeline
- 2026-03-13 - CVE CVE-2026-30961 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-30961
Vulnerability Analysis
This vulnerability stems from improper validation of cumulative file sizes during chunked upload operations. When users upload files through Gokapi's file request feature, administrators can configure a MaxSize limit to restrict the size of individual uploads. However, the validation logic only checks the size of each individual chunk against this limit, rather than tracking and validating the total size of all chunks combined.
The practical impact allows an attacker who possesses a public file request link to circumvent size restrictions entirely. By splitting a large file into multiple chunks—each individually smaller than the configured MaxSize—the attacker can sequentially upload these chunks. The server accepts each chunk because it passes the per-chunk validation, ultimately assembling them into a file that exceeds the intended limit.
Files can grow up to the server's global MaxFileSizeMB configuration, completely ignoring the per-request size limitations set by administrators. This represents a significant bypass of access controls and resource management policies.
Root Cause
The root cause is a missing aggregate size validation in the chunked upload completion handler. The code path responsible for finalizing chunked uploads does not sum the sizes of all uploaded chunks and compare this total against the file request's MaxSize configuration. This is classified as CWE-770 (Allocation of Resources Without Limits or Throttling), as the server allocates storage resources without enforcing the intended constraints.
Attack Vector
The attack is network-based and requires low privilege—specifically, access to a valid public file request link. An attacker can exploit this vulnerability through the following approach:
- Obtain a public file request link that has a MaxSize limit configured
- Prepare a file larger than the configured limit
- Split the file into chunks, each smaller than the MaxSize threshold
- Upload each chunk sequentially through the chunked upload API
- Complete the upload, resulting in a file that exceeds the intended size limit
The vulnerability exploits the gap between per-chunk validation and aggregate size enforcement. Since the chunked upload completion endpoint does not perform a final size validation, the assembled file bypasses administrative controls. This could be used for denial of service through storage exhaustion or to upload excessively large files that administrators intended to prevent.
Detection Methods for CVE-2026-30961
Indicators of Compromise
- Uploaded files exceeding the configured MaxSize limit on file requests
- Multiple sequential chunk uploads from the same source completing into large files
- Storage utilization anomalies or rapid growth beyond expected patterns
- Log entries showing chunked upload completions with final sizes exceeding request limits
Detection Strategies
- Monitor file request uploads and compare final file sizes against configured MaxSize values
- Implement alerting for files that approach or exceed the global MaxFileSizeMB through file request links
- Review access logs for patterns of chunked uploads that result in unexpectedly large files
- Audit file request configurations and compare against actual uploaded file sizes
Monitoring Recommendations
- Enable detailed logging for chunked upload operations including total assembled file sizes
- Set up storage utilization alerts to detect unexpected consumption patterns
- Monitor the file request upload endpoint for high-volume chunk submissions
- Implement anomaly detection for file sizes that deviate from typical upload patterns
How to Mitigate CVE-2026-30961
Immediate Actions Required
- Upgrade Gokapi to version 2.2.4 or later immediately
- Review recently uploaded files via file requests to identify any that exceed configured limits
- Consider temporarily disabling public file request links until the upgrade is complete
- Audit storage consumption to identify potential abuse
Patch Information
The vulnerability has been fixed in Gokapi version 2.2.4. The patch implements proper aggregate size validation during chunked upload completion, ensuring that the total size of all chunks is validated against the file request's MaxSize configuration before finalizing the upload. Users should upgrade to this version or later to remediate the vulnerability. For detailed information, see the GitHub Security Advisory GHSA-45vh-rpc8-hxpp and the Gokapi Release v2.2.4.
Workarounds
- Temporarily disable public file request functionality until the patch can be applied
- Reduce the global MaxFileSizeMB setting to limit potential abuse
- Implement network-level controls to restrict access to file request endpoints
- Monitor and manually review all files uploaded via file requests for size compliance
- Consider adding reverse proxy rules to limit total upload sizes at the network layer
# Configuration example
# Temporarily restrict file request access at the reverse proxy level
# Example for nginx - add to location block for Gokapi
client_max_body_size 50M; # Set to match your intended MaxSize limit
# Monitor storage usage
df -h /path/to/gokapi/data
# Check for oversized files uploaded recently
find /path/to/gokapi/data -type f -size +100M -mtime -7 -ls
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
