CVE-2026-30943

MEDIUM4.1EPSS 0.01%

Gokapi vulnerable to Privilege Escalation in File Replace

Published: 3/13/2026Modified: 3/24/2026

Description

## Summary An insufficient authorization check in the file replace API allows a user with only list visibility permission (`UserPermListOtherUploads`) to delete another user's file by abusing the `deleteNewFile` flag, bypassing the requirement for `UserPermDeleteOtherUploads`. ### Impact Any authenticated user with `PERM_REPLACE` (replace own files) and `PERM_LIST` (view other users' uploads) can delete any other user's file without needing `PERM_DELETE`.

Affected packages (2)

Go/github.com/forceu/gokapifrom 0, < 2.2.4
Go/github.com/forceu/gokapifrom 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-30943
PATCHhttps://github.com/Forceu/Gokapi
WEBhttps://github.com/Forceu/Gokapi/releases/tag/v2.2.4
WEBhttps://github.com/Forceu/Gokapi/security/advisories/GHSA-j6jp-78w8-34x6
WEBhttps://pkg.go.dev/vuln/GO-2026-4696