प्लेटफ़ॉर्म
go
घटक
github.com/forceu/gokapi
में ठीक किया गया
2.2.4
2.2.3
CVE-2026-29084 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the login endpoint of Gokapi, a Go-based API framework. This flaw allows an attacker to potentially execute unauthorized actions on behalf of an authenticated user. The vulnerability impacts versions of Gokapi released before v2.2.3. Applying the update to version 2.2.3 effectively mitigates this risk.
A successful CSRF attack against Gokapi's login endpoint could allow an attacker to impersonate a legitimate user and perform actions they are authorized to do. This could include modifying data, accessing sensitive information, or performing administrative tasks. The impact is amplified if the affected Gokapi instance is used in a critical business process or handles sensitive data. While the CVSS score is medium, the potential for unauthorized access and data manipulation warrants immediate attention. The attacker would need to trick a user into clicking a malicious link or visiting a crafted webpage, which could be achieved through phishing or cross-site scripting (XSS) vulnerabilities on other parts of the application.
CVE-2026-29084 was publicly disclosed on 2026-03-10. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is dependent on the security posture of the surrounding application and the sensitivity of the data handled by Gokapi.
Organizations using Gokapi in their backend systems, particularly those handling sensitive user data or providing critical services, are at risk. Applications relying on Gokapi's API for authentication and authorization are also vulnerable. Development teams using older versions of Gokapi should prioritize upgrading to the latest release.
• go / server: Inspect Gokapi application code for missing or improperly implemented CSRF protection on the login endpoint. Look for absence of CSRF tokens in request parameters or headers.
// Example: Check for CSRF token in request
if token == nil || !token.Valid() {
return http.StatusBadRequest, errors.New("Invalid CSRF token")
}• generic web: Monitor access logs for suspicious requests targeting the Gokapi login endpoint, particularly those originating from unusual IP addresses or user agents.
grep "/login" access.log | grep -v "127.0.0.1" | sort | uniq -c• generic web: Use a web proxy (e.g., Burp Suite) to intercept and analyze requests to the Gokapi login endpoint, looking for missing CSRF tokens or other suspicious patterns.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.01% (1% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-29084 is to upgrade Gokapi to version 2.2.3 or later. This version includes the necessary fixes to prevent CSRF attacks on the login endpoint. If upgrading immediately is not feasible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive requests or implementing stricter input validation. Web Application Firewalls (WAFs) can be configured to detect and block suspicious CSRF requests. After upgrading, verify the fix by attempting to trigger a CSRF request using a tool like Burp Suite or OWASP ZAP and confirming that the request is rejected.
Gokapi को संस्करण 2.2.3 या बाद के संस्करण में अपडेट करें। यह संस्करण लॉगिन एंडपॉइंट में CSRF भेद्यता को ठीक करता है। अपडेट करने से हमलावरों को प्रमाणित उपयोगकर्ताओं की ओर से अनधिकृत कार्रवाई करने के लिए इस भेद्यता का शोषण करने से रोका जा सकेगा।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-29084 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the login endpoint of Gokapi, allowing attackers to potentially hijack user sessions.
You are affected if you are using Gokapi versions prior to 2.2.3. Assess your deployments to determine if you are using a vulnerable version.
Upgrade Gokapi to version 2.2.3 or later to resolve the vulnerability. Consider temporary workarounds like CSRF tokens if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation of CVE-2026-29084, but it is crucial to apply the fix proactively.
Refer to the Gokapi project's official advisory channels and release notes for details on CVE-2026-29084 and the corresponding fix.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी go.mod फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।