CVE-2026-29084: Gokapi has CSRF in Login Endpoint

March 5, 2026 (updated March 6, 2026)

The login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation.

Issue found by aisafe.io

References

github.com/Forceu/Gokapi
github.com/Forceu/Gokapi/releases/tag/v2.2.3
github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4
github.com/advisories/GHSA-hcff-qv74-7hr4
nvd.nist.gov/vuln/detail/CVE-2026-29084

Code Behaviors & Features

Detect and mitigate CVE-2026-29084 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →