CVE-2026-30955 is a resource exhaustion vulnerability classified under CWE-400 affecting Forceu's Gokapi, a self-hosted file sharing server that supports automatic expiration and encryption. The vulnerability exists because an API endpoint in versions prior to 2.2.4 does not impose any size restrictions on incoming request bodies. An authenticated attacker can exploit this by sending excessively large payloads to this endpoint, causing the server to consume excessive memory resources. This uncontrolled resource consumption can trigger the operating system's out-of-memory (OOM) killer, terminating the Gokapi process and resulting in a denial of service (DoS) condition. The vulnerability does not affect confidentiality or integrity, as it does not allow data leakage or modification, but it significantly impacts availability by disrupting service for all users. The CVSS v3.1 score is 6.5 (medium), reflecting the network attack vector, low attack complexity, required privileges (authenticated user), no user interaction, and impact limited to availability. No known exploits are currently reported in the wild. The issue is resolved in Gokapi version 2.2.4 by implementing request size limits or other resource control mechanisms on the vulnerable API endpoint.

The primary impact of this vulnerability is a denial of service through resource exhaustion. Organizations running vulnerable versions of Gokapi risk complete service disruption if an authenticated user abuses the unbounded request size. This can affect business continuity, especially for organizations relying on Gokapi for secure file sharing and collaboration. The disruption could lead to operational delays, loss of productivity, and potential reputational damage. Since the vulnerability requires authentication, the threat is somewhat mitigated by access controls; however, insider threats or compromised accounts could still exploit it. The lack of confidentiality or integrity impact limits data breach concerns, but availability loss in critical environments can have significant consequences. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

Organizations should upgrade Gokapi to version 2.2.4 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, administrators should implement strict API gateway or web application firewall (WAF) rules to limit request body sizes on the vulnerable endpoint. Monitoring and alerting on abnormal request sizes and resource usage can help detect exploitation attempts early. Enforcing strong authentication and access controls reduces the risk of malicious authenticated users. Additionally, isolating the Gokapi service in resource-limited containers or virtual machines can prevent system-wide OOM kills. Regularly auditing user accounts and session activity helps identify potential insider threats. Finally, maintaining updated backups and incident response plans ensures rapid recovery from potential service disruptions.