Gokapi is a self-hosted file sharing server designed to facilitate secure file uploads with features such as automatic expiration and encryption. Prior to version 2.2.3, the SSE implementation on the /uploadStatus endpoint suffers from improper access control (CWE-284) and information exposure (CWE-200). Specifically, when an authenticated user subscribes to the upload status stream, they receive global upload state information that includes file_id values belonging to other users. This means that authenticated users can observe metadata about uploads they do not own, violating data confidentiality and potentially enabling further attacks or privacy breaches. The vulnerability does not require user interaction but does require the attacker to be authenticated, which limits exposure to some extent. The CVSS v3.1 score is 6.4 (medium), reflecting network attack vector, low attack complexity, and privileges required. The scope is changed because the vulnerability affects resources beyond the attacker’s privileges. The issue was addressed in Gokapi version 2.2.3 by properly scoping upload status information to the requesting user, preventing unauthorized data exposure. No public exploits have been reported, but the vulnerability poses a risk to any deployment of affected versions, especially in environments with multiple users sharing the same server.

The primary impact of CVE-2026-28682 is unauthorized disclosure of upload metadata, including file identifiers, which can lead to privacy violations and potential information leakage about user activities. While the vulnerability does not directly allow file access or modification, the leaked metadata could be leveraged by attackers to target specific files or users for further attacks, social engineering, or reconnaissance. Organizations relying on Gokapi for secure file sharing may face compliance risks if sensitive information is exposed. The requirement for authentication limits the attack surface to insiders or compromised accounts, but in multi-tenant or shared environments, this can still be significant. The integrity of upload status information is also affected, as users receive data not scoped to their permissions. Availability is not impacted. Overall, the vulnerability undermines trust in the confidentiality and integrity of the file sharing service.

To mitigate this vulnerability, organizations should upgrade Gokapi to version 2.2.3 or later, where the issue is patched. Until the upgrade is applied, administrators should restrict access to the /uploadStatus SSE endpoint to only trusted users and monitor authentication logs for suspicious activity. Implementing strict user authentication and session management can reduce the risk of unauthorized access. Additionally, consider isolating user sessions or deploying separate instances of Gokapi for different user groups to limit cross-user data exposure. Regularly audit access control configurations and review server logs for anomalous subscription patterns to the SSE endpoint. Employ network segmentation and firewall rules to limit access to the file sharing server from untrusted networks. Finally, educate users about the importance of safeguarding their credentials to prevent unauthorized authenticated access.