CVE-2026-30955 in Gokapi
Summary
by MITRE • 03/13/2026
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-30955 affects Gokapi, a self-hosted file sharing server that provides automatic expiration and encryption features for file transfers. This system operates as a centralized file sharing solution where users can upload, manage, and access files with built-in security measures including encryption and time-based expiration. The server architecture relies on API endpoints to handle file operations and user interactions, making the API layer a critical component for system functionality and security.
The technical flaw resides in an API endpoint that fails to implement any request body size limitations. This represents a classic buffer overflow vulnerability pattern where unbounded input processing creates opportunities for resource exhaustion attacks. The vulnerability specifically impacts authenticated users who can leverage their credentials to submit requests containing arbitrarily large data payloads. Without proper input validation and size constraints, the system processes these excessive requests without limitation, leading to memory consumption that exceeds available system resources.
The operational impact of this vulnerability is severe and directly affects system availability and user experience. An authenticated attacker can exploit this weakness to trigger out-of-memory conditions that cause the system to become unresponsive or crash entirely. When the memory allocation exceeds system limits, the operating system's out-of-memory killer mechanism may terminate critical processes, resulting in complete service disruption for all users. This denial-of-service scenario eliminates access to all shared files and prevents legitimate users from performing any file operations until the service is restored, creating cascading effects for the entire user base.
The vulnerability aligns with CWE-770, which addresses allocation of resources without limits or with inadequate limits, and demonstrates characteristics consistent with attack patterns documented in the MITRE ATT&CK framework under the privilege escalation and denial of service categories. The fact that this vulnerability requires authentication indicates it operates within the context of legitimate user access, making it particularly dangerous as it can be exploited by compromised accounts or insider threats. The fix implemented in version 2.2.4 demonstrates proper resource management practices including the implementation of request size limits and input validation controls that prevent excessive memory consumption.
Mitigation strategies should focus on implementing strict request size limitations across all API endpoints, particularly those handling file uploads and data processing operations. Organizations should deploy rate limiting and resource monitoring mechanisms to detect unusual memory consumption patterns. Regular security updates and patch management procedures should be enforced to maintain system integrity. Additionally, implementing proper input validation and sanitization controls at the application level will prevent similar vulnerabilities from emerging in other components. The remediation approach should also include logging and alerting for suspicious resource consumption patterns to enable proactive incident response measures.