Gokapi logo

Gokapi

Lightweight self-hosted Firefox Send alternative

Alternative to: firefox send, wetransfer, dropbox transfer


About Versions (38)

v2.2.3

2026-03-04

⚠️ This update contains important security fixes. We recommend all users to update to this version, especially if more than one user is registered at your Gokapi instance.

Changelog

  • Fixed one vulnerability with high severity and four with moderate severity

  • Fixed severe bug that deleted all files if a user with a file request was manually deleted from the database #373

  • Add GOKAPI_AWS_PROXY_DOWNLOAD environment variable by @Nerahikada #372

  • Added DISABLE_API_MENU env to hide API menu and disable generation of new API keys for non-admin users #377

  • Fixed S3 environment variables not being applied during initial setup by @Nerahikada #370

  • Fixed MinPasswordLength in reconfiguration setup view by @Nerahikada #371

  • Fixed OIDC bug which prevented error check #369

  • Fixed API download / download button always proxying AWS files #375

  • Better error handling for setup CORS check

  • Added better rate limiting

  • Replace space with underscore instead of url escaping it

  • More minor changes and fixes

  • Changed to Go1.26

  • Gokapi-cli: Fixed logout not working, fixed upload not working #363

  • Gokapi-cli: Fixed download and add E2E download support by @Upellift99 #365

Breaking Changes

  • SVG images cannot be hotlinked anymore and old hotlinks to SVG images will be removed on startup

Fixed CVEs

  • Stored XSS in SVG Hotlinks GHSA-3c22-5j5m-4jq7 (high)
  • Privilege escalation with auth token GHSA-m2hx-wjxc-9fp4 (moderate)
  • Incomplete API-key permission revocation on user rank demotion GHSA-q658-hfpg-35qc (moderate)
  • CSRF in Login Endpoint GHSA-hcff-qv74-7hr4 (moderate)
  • Data Leak in Upload Status Stream GHSA-c36c-7pc2-f2ph (moderate)

New Contributors

Full Changelog: https://github.com/Forceu/Gokapi/compare/v2.2.2…v2.2.3