logo

Database

Authentication mechanism absence or evasion In github.com/forceu/gokapi

Description

Gokapi vulnerable to Privilege Escalation in File Replace

Summary

An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads.

Impact

Any authenticated user with PERM_REPLACE (replace own files) and PERM_LIST (view other users' uploads) can delete any other user's file without needing PERM_DELETE.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-309432. NVD-2026-309433. OSV-2026-309434. GHSA-j6jp-78w8-34x65. GCVE-2026-30943

References

1. https://github.com/Forceu/Gokapi/security/advisories/GHSA-j6jp-78w8-34x62. https://github.com/Forceu/Gokapi/releases/tag/v2.2.43. https://pkg.go.dev/vuln/GO-2026-4696

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-P2U8R – Vulnerability | Fluid Attacks Database