CVE-2026-30955 - Vulnerability Details - OpenCVE

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-qwc6-vc2v-2ggj	Gokapi vulnerable to DoS in E2E Metadata Parser

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/Forceu/Gokapi/releases/tag/v2.2.4
https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj

History

Fri, 13 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4.
Title		Gokapi vulnerable to DoS in E2E Metadata Parser
Weaknesses		CWE-400
References		https://github.com/Forceu/Gokapi/releases/tag/v2.2.4 https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-13T19:07:55.836Z

Updated: 2026-03-13T19:39:58.108Z

Reserved: 2026-03-07T17:34:39.981Z

Link: CVE-2026-30955

Vulnrichment

Updated: 2026-03-13T19:39:54.957Z

NVD

Status : Received

Published: 2026-03-13T19:54:35.740

Modified: 2026-03-13T19:54:35.740

Link: CVE-2026-30955

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30955", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:34:39.981Z", "datePublished": "2026-03-13T19:07:55.836Z", "dateUpdated": "2026-03-13T19:39:58.108Z"}, "containers": {"cna": {"title": "Gokapi vulnerable to DoS in E2E Metadata Parser", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj"}, {"name": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.4"}], "affected": [{"vendor": "Forceu", "product": "Gokapi", "versions": [{"version": "< 2.2.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T19:07:55.836Z"}, "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4."}], "source": {"advisory": "GHSA-qwc6-vc2v-2ggj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T19:39:50.860585Z", "id": "CVE-2026-30955", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:39:58.108Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30955", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T19:39:50.860585Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:39:54.957Z"}}], "cna": {"title": "Gokapi vulnerable to DoS in E2E Metadata Parser", "source": {"advisory": "GHSA-qwc6-vc2v-2ggj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Forceu", "product": "Gokapi", "versions": [{"status": "affected", "version": "< 2.2.4"}]}], "references": [{"url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj", "name": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.4", "name": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T19:07:55.836Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30955", "state": "PUBLISHED", "dateUpdated": "2026-03-13T19:39:58.108Z", "dateReserved": "2026-03-07T17:34:39.981Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T19:07:55.836Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}