CVE-2026-29060: Gokapi has privilege escalation with auth token

March 5, 2026

A registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so.

The user must be registered with Gokapi. If you do not have any other users with access to the admin/upload menu, you are not impacted.

References

github.com/Forceu/Gokapi
github.com/Forceu/Gokapi/security/advisories/GHSA-m2hx-wjxc-9fp4
github.com/advisories/GHSA-m2hx-wjxc-9fp4
nvd.nist.gov/vuln/detail/CVE-2026-29060

Code Behaviors & Features

Detect and mitigate CVE-2026-29060 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →