CVE-2026-30961 in Gokapi
Summary
by MITRE • 03/13/2026
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, the chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global MaxFileSizeMB are accepted regardless of the file request's configured limit. This vulnerability is fixed in 2.2.4.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-30961 affects Gokapi, a self-hosted file sharing server that provides automatic expiration and encryption features for secure file transfers. This server implementation allows users to create public file requests with specific size limitations, but a critical flaw exists in the chunked upload completion mechanism that undermines these security controls. The issue stems from inadequate validation within the file upload processing pipeline, specifically during the finalization phase of chunked uploads where the system fails to properly verify that the cumulative size of uploaded chunks does not exceed the configured per-request size limits. This represents a fundamental breakdown in access control and resource management within the application's file handling architecture.
The technical flaw manifests in the chunked upload completion path where the system accepts individual file chunks that individually comply with the MaxSize limit but collectively exceed the configured request-specific restrictions. Attackers can exploit this by splitting large files into smaller chunks, each under the individual chunk size limit, and sequentially uploading these chunks to a public file request. The server processes each chunk independently without maintaining a running total or validating against the request's configured maximum size, allowing the accumulation of data that surpasses the intended restrictions. This bypass mechanism effectively neutralizes the per-request size enforcement, enabling attackers to upload files up to the server's global MaxFileSizeMB limit regardless of the individual file request's configured restrictions. The vulnerability operates at the application layer and represents a classic case of insufficient input validation and resource boundary enforcement.
The operational impact of this vulnerability is significant as it allows unauthorized data exfiltration and potential resource exhaustion attacks. An attacker can bypass size restrictions to upload arbitrarily large files, consuming server storage space and potentially causing denial of service conditions. The vulnerability affects the integrity of the file sharing system's access control mechanisms, enabling attackers to circumvent intended usage policies and potentially upload malicious content that exceeds normal security scanning capabilities. This represents a critical weakness in the server's resource management and access control implementation, as the system's ability to enforce size limits becomes completely unreliable. The vulnerability also impacts data governance and compliance requirements, as organizations relying on Gokapi for secure file sharing may experience unauthorized data transfers that exceed established limits.
Mitigation strategies for this vulnerability include immediate deployment of the patched version 2.2.4, which implements proper validation of cumulative chunk sizes against configured request limits. Organizations should also consider implementing additional monitoring and alerting mechanisms to detect unusual upload patterns or size anomalies that may indicate exploitation attempts. The fix addresses the core issue by ensuring that the chunked upload completion path validates the total accumulated file size against both the per-request MaxSize limit and the server's global MaxFileSizeMB restriction. Security teams should conduct thorough assessments of existing file requests to identify any potentially compromised uploads and review access control configurations to ensure proper enforcement of size limits. This vulnerability aligns with CWE-126 - Buffer Over-read and CWE-20 - Improper Input Validation, and represents a technique that could be categorized under ATT&CK tactic TA0009 - Collection and TA0040 - Resource Hijacking, as it enables unauthorized data transfer and resource consumption.