CVE-2026-29061 - Gokapi: Privilege escalation via incomplete API-key permission revocation on use...

CVE ID : CVE-2026-29061 Published : March 6, 2026, 5:16 a.m. | 35 minutes ago Description : Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. This issue has been patched in version 2.2.3. Severity: 5.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...