Forceu Gokapi is a self-hosted file sharing server that supports automatic expiration and encryption of shared files. Versions prior to 2.2.3 contain a CSRF vulnerability (CVE-2026-29084) in the login flow. Specifically, the login handler accepts credential-bearing HTTP requests without verifying that the request originates from the legitimate browser session context. This lack of CSRF tokens or other anti-CSRF mechanisms allows an attacker to craft malicious web pages or emails that cause an authenticated user to unknowingly submit login requests with attacker-controlled credentials. The server parses form values directly and creates a session upon successful credential validation, enabling session creation without explicit user intent. Although the vulnerability requires user interaction (e.g., visiting a malicious page), it does not require elevated privileges beyond the ability to induce the victim to submit the request. The vulnerability impacts confidentiality and integrity by potentially allowing unauthorized session creation or credential misuse but does not affect availability. The issue was publicly disclosed and patched in version 2.2.3, which introduces proper CSRF protections tied to the browser session context to prevent such attacks.

This vulnerability can allow attackers to perform unauthorized login actions on behalf of users by exploiting the lack of CSRF protections in the login flow. For organizations, this can lead to unauthorized access to file sharing sessions, exposing sensitive or confidential data. Attackers could leverage this to create sessions with attacker-controlled credentials or hijack legitimate user sessions, undermining data confidentiality and integrity. While availability is not impacted, the breach of confidentiality and integrity can have serious consequences, especially for organizations relying on Gokapi for secure file sharing. The risk is heightened in environments where users have elevated privileges or where sensitive data is frequently shared. Since exploitation requires user interaction but no elevated privileges, phishing or social engineering campaigns could be used to trigger the attack. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially if attackers develop exploit techniques.

Organizations should immediately upgrade all Forceu Gokapi instances to version 2.2.3 or later, where the CSRF vulnerability is patched. In addition to upgrading, administrators should implement strict Content Security Policies (CSP) to limit the ability of malicious sites to execute scripts or submit forms. Employing browser security features such as SameSite cookies can reduce CSRF risks by restricting cookie transmission on cross-site requests. Monitoring and logging login attempts for unusual patterns can help detect potential exploitation attempts. User education to recognize phishing attempts and avoid clicking suspicious links is critical since exploitation requires user interaction. Where possible, multi-factor authentication (MFA) should be enforced to reduce the impact of unauthorized session creation. Finally, developers should review other parts of the application for similar CSRF weaknesses and adopt secure coding practices including CSRF tokens and origin checks.