logo

Database

Improper authorization control for web services In github.com/forceu/gokapi

Description

Gokapi has Data Leak in Upload Status Stream

Description

The upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting user.

Impact

Any authenticated user can observe other users' file identifiers and retrieve unauthorized content, causing cross-tenant data exposure and loss of confidentiality for uploaded documents.

Issue found by aisafe.io

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-286822. NVD-2026-286823. OSV-2026-286824. GHSA-c36c-7pc2-f2ph5. GCVE-2026-28682

References

1. https://github.com/Forceu/Gokapi/security/advisories/GHSA-c36c-7pc2-f2ph2. https://github.com/Forceu/Gokapi/releases/tag/v2.2.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.