GHSA-q658-hfpg-35qc

Suggest an improvement
Source
https://github.com/advisories/GHSA-q658-hfpg-35qc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q658-hfpg-35qc/GHSA-q658-hfpg-35qc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q658-hfpg-35qc
Aliases
Published
2026-03-05T20:42:32Z
Modified
2026-03-23T04:56:08.870761058Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion
Details

Summary

A privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been stripped of all privileges.

Impact

Any user who previously held Admin rank and had API keys with ApiPermManageFileRequests or ApiPermManageLogs retains those capabilities after demotion. This allows offboarded or demoted users to: - Create, list, and delete upload requests - Read application logs and system status

Database specific 
{
    "nvd_published_at": "2026-03-06T05:16:40Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-284"
    ],
    "github_reviewed_at": "2026-03-05T20:42:32Z"
}
References

Affected packages

Go / github.com/forceu/gokapi

Package

Name
github.com/forceu/gokapi
View open source insights on deps.dev
Purl
pkg:golang/github.com/forceu/gokapi

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q658-hfpg-35qc/GHSA-q658-hfpg-35qc.json"