GHSA-Q658-HFPG-35QC

Vulnerability from github – Published: 2026-03-05 20:42 – Updated: 2026-03-06 15:17
VLAI?
Summary
Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion
Details

Summary

A privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges.

Impact

Any user who previously held Admin rank and had API keys with ApiPermManageFileRequests or ApiPermManageLogs retains those capabilities after demotion. This allows offboarded or demoted users to: - Create, list, and delete upload requests - Read application logs and system status

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/forceu/gokapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29061"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T20:42:32Z",
    "nvd_published_at": "2026-03-06T05:16:40Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA privilege escalation vulnerability in the user rank demotion logic allows a demoted user\u0027s existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management  and log viewing endpoints after the user has been stripped of all privileges.\n\n### Impact\nAny user who previously held Admin rank and had API keys with ApiPermManageFileRequests or ApiPermManageLogs retains those capabilities after demotion. This allows offboarded or demoted users to:\n  - Create, list, and delete upload requests\n  - Read application logs and system status",
  "id": "GHSA-q658-hfpg-35qc",
  "modified": "2026-03-06T15:17:16Z",
  "published": "2026-03-05T20:42:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-q658-hfpg-35qc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29061"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Forceu/Gokapi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.