VDB
CVE-2026-29061
CVE-2026-29061
PUBLISHED
CVSS 5.400000095367432 MEDIUM
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. This issue has been patched in version 2.2.3.
EPSS 0.01% · 0.7th percentile
Risk Scores
CVSS v3.1
5.400000095367432
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score
0.01%
0.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| forceu | gokapi | 0, 0 |
| Forceu | Gokapi | *, < 2.2.3 |
| github.com | forceu/gokapi | 0, 0 |
Timeline
- Mar 5, 2026 CVE Published
- Mar 6, 2026 CVE Updated
- Mar 6, 2026 EPSS Score
- Mar 7, 2026 EPSS Score
- Mar 8, 2026 EPSS Score
- Mar 10, 2026 EPSS Score
- Mar 11, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
- Mar 13, 2026 EPSS Score
- Mar 14, 2026 EPSS Score
- Mar 15, 2026 EPSS Score
- Mar 17, 2026 EPSS Score