CVE-2026-29061: Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion

March 5, 2026

A privilege escalation vulnerability in the user rank demotion logic allows a demoted user’s existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges.

References

github.com/Forceu/Gokapi
github.com/Forceu/Gokapi/security/advisories/GHSA-q658-hfpg-35qc
github.com/advisories/GHSA-q658-hfpg-35qc
nvd.nist.gov/vuln/detail/CVE-2026-29061

Code Behaviors & Features

Detect and mitigate CVE-2026-29061 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →