logo

Database

Improper authorization control for web services In github.com/forceu/gokapi

Description

Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion

Summary

A privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges.

Impact

Any user who previously held Admin rank and had API keys with ApiPermManageFileRequests or ApiPermManageLogs retains those capabilities after demotion. This allows offboarded or demoted users to:

    Create, list, and delete upload requests

    Read application logs and system status

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-290612. NVD-2026-290613. OSV-2026-290614. GHSA-q658-hfpg-35qc5. GCVE-2026-29061

References

1. https://github.com/Forceu/Gokapi/security/advisories/GHSA-q658-hfpg-35qc2. https://github.com/Forceu/Gokapi/releases/tag/v2.2.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.