The vulnerability identified as CVE-2026-30943 affects Forceu's Gokapi, a self-hosted file sharing server that supports automatic expiration and encryption. Prior to version 2.2.4, the file replace API contains an insufficient authorization check related to the deleteNewFile flag. Specifically, a user granted only the UserPermListOtherUploads permission, which normally allows viewing other users' files, can abuse this flag to delete files owned by other users. This bypasses the intended requirement for UserPermDeleteOtherUploads, a higher privilege needed to delete others' files. The flaw stems from improper enforcement of authorization logic within the API, categorized under CWE-863 (Incorrect Authorization). The vulnerability allows an authenticated user with limited permissions to perform unauthorized file deletions, impacting data integrity but not confidentiality or availability. The CVSS v3.1 base score is 4.1 (medium severity), reflecting network exploitability with low attack complexity, requiring privileges but no user interaction, and a scope change due to affecting other users' files. The vulnerability was published on March 13, 2026, and is fixed in Gokapi version 2.2.4. No public exploits or active exploitation have been reported to date.

This vulnerability primarily impacts the integrity of data stored on Gokapi servers by allowing unauthorized deletion of files owned by other users. Organizations relying on Gokapi for file sharing may face data loss or disruption of workflows if malicious or careless users exploit this flaw. Although confidentiality and availability remain unaffected, unauthorized deletions can lead to operational inefficiencies, potential data recovery costs, and loss of trust among users. In multi-tenant or collaborative environments, this could also result in internal conflicts or compliance issues if sensitive files are deleted without proper authorization. Since exploitation requires authenticated access with list visibility permissions, insider threats or compromised accounts pose the greatest risk. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks, especially in environments where Gokapi is widely deployed.

To mitigate this vulnerability, organizations should upgrade all Gokapi instances to version 2.2.4 or later, where the authorization check is properly enforced. Until upgrades can be applied, administrators should restrict UserPermListOtherUploads permissions to only trusted users and monitor file deletion activities closely. Implementing detailed audit logging for file operations can help detect suspicious deletions. Additionally, enforcing strong authentication mechanisms and regularly reviewing user permissions will reduce the risk of exploitation. Network-level controls such as segmentation and limiting access to the Gokapi server can further reduce exposure. Finally, educating users about the risks of privilege misuse and promptly revoking permissions for inactive or untrusted accounts will help contain potential abuse.