The vulnerability identified as CVE-2026-29061 affects Forceu's Gokapi, a self-hosted file sharing server that supports automatic expiration and encryption. The root cause is improper access control (CWE-284) in the user rank demotion logic prior to version 2.2.3. When a user's rank is demoted, their existing API keys erroneously retain permissions ApiPermManageFileRequests and ApiPermManageLogs. These permissions allow the user to manage upload requests and access server logs, respectively. Consequently, a demoted user can continue to perform privileged actions despite having been stripped of all other privileges. The vulnerability requires the attacker to have an existing authenticated session and involves user interaction to exploit. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, and user interaction. The scope is changed (S:C) because the vulnerability allows access beyond the original authorization boundaries. Confidentiality and integrity are impacted due to unauthorized access to sensitive logs and management functions, but availability is unaffected. No known exploits are reported in the wild. The issue was addressed in Gokapi version 2.2.3 by correcting the access control logic to revoke permissions from API keys upon user rank demotion.

This vulnerability can lead to unauthorized access to sensitive operational data and management functions within Gokapi servers. Attackers who have been demoted but retain API keys can continue to view logs, potentially exposing sensitive information such as user activity or system errors. They can also manage upload requests, which could be abused to upload malicious files or interfere with legitimate file sharing workflows. This undermines the integrity of the system's access control and could facilitate further attacks or data leakage. Organizations relying on Gokapi for secure file sharing may face increased risk of insider threats or compromised accounts maintaining elevated access. While availability is not directly impacted, the breach of confidentiality and integrity can have serious compliance and reputational consequences, especially in regulated industries or environments handling sensitive data.

The primary mitigation is to upgrade all affected Gokapi instances to version 2.2.3 or later, where the vulnerability has been patched. Administrators should audit existing API keys, especially those belonging to demoted users, and revoke or regenerate them to ensure no lingering elevated permissions remain. Implement strict API key lifecycle management and monitoring to detect anomalous usage patterns. Employ role-based access control (RBAC) reviews regularly to confirm that user privileges and associated API keys are synchronized correctly. Additionally, enable detailed logging and alerting on API key usage related to upload management and log access endpoints to detect potential abuse. Consider implementing multi-factor authentication (MFA) for administrative access to reduce the risk of compromised credentials being exploited. Finally, educate users and administrators about the importance of promptly updating software and revoking credentials when user roles change.