CVE-2026-30943 | THREATINT

Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads. This vulnerability is fixed in 2.2.4.

PUBLISHED Reserved 2026-03-07 | Published 2026-03-13 | Updated 2026-03-13 | Assigner GitHub_M

MEDIUM: 4.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

Problem types

CWE-863: Incorrect Authorization

Product status

< 2.2.4

affected

References

github.com/...Gokapi/security/advisories/GHSA-j6jp-78w8-34x6

github.com/Forceu/Gokapi/releases/tag/v2.2.4

cve.org (CVE-2026-30943)

nvd.nist.gov (CVE-2026-30943)

Download JSON