Gokapi is a self-hosted file sharing server designed to provide encrypted file transfers with automatic expiration. In versions prior to 2.2.3, a critical access control weakness (CWE-284) exists whereby any registered user, even those lacking explicit permissions to create or modify file requests, can generate a short-lived API key that grants these elevated privileges. This occurs because the system improperly restricts API key creation, allowing privilege escalation within the application. The vulnerability does not affect confidentiality or integrity directly but impacts availability by enabling unauthorized creation or modification of file requests, potentially disrupting service or causing denial of service conditions. Exploitation requires the attacker to be a registered user but no further user interaction is needed, and the attack can be performed remotely over the network. The vulnerability has been assigned CVE-2026-29060 and carries a CVSS 3.1 base score of 5.0, indicating medium severity. The flaw has been addressed in Gokapi version 2.2.3 by correcting access control checks around API key generation and permissions enforcement. No public exploits have been reported to date, but the vulnerability poses a risk to organizations relying on Gokapi for secure file sharing, especially where multiple registered users exist with varying privilege levels.

The primary impact of CVE-2026-29060 is unauthorized privilege escalation within the Gokapi file sharing environment. An attacker with a registered account but no elevated privileges can create API keys that allow them to create or modify file requests, actions normally restricted to privileged users. This can lead to disruption of service availability, unauthorized manipulation of file sharing workflows, and potential denial of service if abused at scale. While confidentiality and integrity of files are not directly compromised, the ability to alter file requests could indirectly affect data handling processes. Organizations using Gokapi in multi-user environments are at risk, particularly if administrative controls over user permissions are lax or if multiple users have access to sensitive menus. The vulnerability could be leveraged to bypass intended access controls, undermining trust in the file sharing platform. Since exploitation requires a registered user account, the threat is somewhat limited to insider threats or attackers who have obtained legitimate credentials. However, the network-exploitable nature and lack of required user interaction increase the risk of automated or scripted attacks. The medium severity rating reflects these factors, indicating a moderate but non-trivial risk to affected deployments.

To mitigate CVE-2026-29060, organizations should immediately upgrade Gokapi to version 2.2.3 or later, where the access control flaw has been patched. Until upgrading is possible, administrators should restrict registration to trusted users only and review user permissions to ensure that no unnecessary accounts have access to the admin/upload menu. Implement strict monitoring and logging of API key creation and file request modifications to detect suspicious activity early. Employ network segmentation and firewall rules to limit access to the Gokapi server from untrusted networks. Additionally, enforce strong authentication mechanisms for registered users to reduce the risk of credential compromise. Regularly audit user accounts and permissions to prevent privilege creep. If feasible, temporarily disable user registration or restrict API key generation capabilities through configuration settings. Finally, maintain an incident response plan to quickly address any exploitation attempts or anomalous behavior related to file request operations.