The vulnerability identified as CVE-2026-30961 affects Forceu's Gokapi, a self-hosted file sharing server that supports automatic expiration and encryption. Prior to version 2.2.4, the chunked upload completion mechanism fails to validate the total file size against the configured per-request MaxSize limit. Specifically, an attacker possessing a public file request link can circumvent the intended size restriction by splitting a large file into multiple smaller chunks, each individually under the MaxSize threshold. These chunks are uploaded sequentially, and the server erroneously accepts the entire file as valid, up to the global MaxFileSizeMB limit configured on the server. This flaw stems from an allocation of resources without proper limits or throttling, classified under CWE-770. The vulnerability does not require user interaction and can be exploited remotely with low privileges. While the confidentiality and integrity of data are not directly compromised, the unchecked acceptance of oversized files can lead to resource exhaustion, impacting server availability and performance. The issue was publicly disclosed on March 13, 2026, and has a CVSS v3.1 base score of 4.3 (medium severity). The fix was implemented in Gokapi version 2.2.4, which properly enforces the per-request MaxSize limit during chunked uploads.

The primary impact of this vulnerability is on the availability of the Gokapi server. By bypassing the per-request file size limit, an attacker can upload very large files in chunks, consuming excessive disk space, memory, and processing resources. This can degrade server performance, cause denial of service conditions, or disrupt legitimate file sharing operations. Organizations relying on Gokapi for secure and efficient file sharing may experience service interruptions or increased operational costs due to resource exhaustion. Although the vulnerability does not expose sensitive data or allow unauthorized data modification, the denial of service potential can affect business continuity, especially in environments with high file sharing demands or limited server capacity. Additionally, the vulnerability could be leveraged as part of a larger attack chain to distract or overwhelm defenders. Since exploitation requires only a public file request link, any exposed or shared links are potential attack vectors, increasing the risk in publicly accessible deployments.

The primary mitigation is to upgrade Gokapi to version 2.2.4 or later, where the vulnerability is fixed by enforcing the per-request MaxSize limit during chunked uploads. Until upgrading is possible, administrators should implement strict monitoring of upload sizes and rates, setting alerts for unusual or excessive chunked upload activity. Configuring global MaxFileSizeMB to a conservative value can reduce potential resource exhaustion. Network-level controls such as rate limiting and IP reputation filtering can help limit abusive upload attempts. Additionally, restricting public file request link distribution and implementing authentication or access controls on file requests can reduce exposure. Regularly auditing server resource usage and logs for anomalies related to chunked uploads is recommended. Finally, consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious chunked upload patterns.