CVE-2026-29061
MEDIUM5.4EPSS 0.01%Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion
Published: 3/5/2026Modified: 3/23/2026
Description
### Summary A privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges. ### Impact Any user who previously held Admin rank and had API keys with ApiPermManageFileRequests or ApiPermManageLogs retains those capabilities after demotion. This allows offboarded or demoted users to: - Create, list, and delete upload requests - Read application logs and system status
Affected packages (2)
- Go/github.com/forceu/gokapifrom 0, < 2.2.3
- Go/github.com/forceu/gokapifrom 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |