CVE Catalog

CVE-2026-56079

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

Capgo before version 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs.

Risk Assessment

Attackers can exploit this vulnerability to exfiltrate HMAC signing secrets and delivery payloads, enabling forged webhook events against victim organizations.

Recommendation

It is recommended to upgrade to version 12.128.2 or later to mitigate this vulnerability and restrict access to org-scoped API keys.

Original NVD description (English source)

Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhook_deliveries endpoints to exfiltrate HMAC signing secrets and delivery payloads, enabling forged webhook events against victim organizations.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS