Primary

Context

Gokapi Data Leak Vulnerability in Upload Status Stream

Vulnerability

A data leak vulnerability has been identified in Gokapi, a self-hosted file sharing server, prior to version 2.2.3. The issue arises in the upload status Server-Sent Events (SSE) implementation on the '/uploadStatus' endpoint, which broadcasts global upload states to all authenticated listeners. This transmission includes 'file_id' values that are not restricted to the user's own uploads. As a result, any authenticated user can access other users' file identifiers and unauthorized content, leading to cross-tenant data exposure and a loss of confidentiality for the affected documents.

Impact

The vulnerability allows authenticated users to access file identifiers and content belonging to other users, causing unauthorized data exposure and confidentiality breaches for uploaded files.

Remediation

Users are advised to update Gokapi to version 2.2.3, where this vulnerability has been patched.

Added: Mar 6, 2026, 5:21 AM

Updated: Mar 6, 2026, 5:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

3.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

0.0

relevance

3.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Gokapi Data Leak Vulnerability in Upload Status Stream

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating