CVE-2026-28682 in Gokapi
Summary
by MITRE • 03/06/2026
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user. This issue has been patched in version 2.2.3.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability identified as CVE-2026-28682 affects Gokapi, a self-hosted file sharing server that provides automatic expiration and encryption features for secure file transfers. This security flaw resides in the server's implementation of Server-Sent Events (SSE) for upload status notifications, specifically within the /uploadStatus endpoint that serves real-time upload state information to connected clients. The issue represents a critical access control weakness that undermines the privacy and security guarantees typically expected from file sharing systems.
The technical flaw manifests in the improper scoping of file identifiers within the SSE implementation. When authenticated users connect to the /uploadStatus endpoint, the server broadcasts global upload state information to all connected listeners regardless of their individual user context. This means that file_id values included in the status updates are not properly isolated to the requesting user's session, creating a cross-contamination of upload information between different authenticated users. The vulnerability essentially allows any authenticated user to receive and potentially access information about files being uploaded by other users within the same system instance.
This flaw has significant operational impact as it violates fundamental security principles of user isolation and data confidentiality. An attacker with valid authentication credentials could exploit this vulnerability to monitor and potentially intercept sensitive information about other users' file upload activities, including file identifiers that could be used for further attacks or to gain unauthorized access to specific files. The exposure of file_id values creates opportunities for information disclosure attacks and could enable more sophisticated exploitation techniques targeting the broader file sharing system. The vulnerability particularly affects multi-user environments where multiple authenticated individuals share the same Gokapi instance.
The security implications extend beyond simple information disclosure, as this issue creates potential attack vectors for privilege escalation and data exfiltration. From a cybersecurity perspective, this vulnerability aligns with CWE-284 (Improper Access Control) and represents a failure in proper session isolation mechanisms. The ATT&CK framework would categorize this as a privilege escalation technique through information disclosure, potentially enabling further reconnaissance activities. Organizations using Gokapi should immediately implement the patch released in version 2.2.3, which properly scopes file_id values to individual user sessions and ensures that upload status information is only accessible to the authenticated user who initiated the corresponding upload operation. Additionally, system administrators should conduct thorough security audits to verify that no unauthorized access has occurred through this vulnerability, particularly in environments where sensitive data is regularly shared through the file sharing platform.