CVE-2026-56079
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
Capgo before version 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs.
Risk Assessment
Attackers can exploit this vulnerability to exfiltrate HMAC signing secrets and delivery payloads, enabling forged webhook events against victim organizations.
Recommendation
It is recommended to upgrade to version 12.128.2 or later to mitigate this vulnerability and restrict access to org-scoped API keys.
Original NVD description (English source)
Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhook_deliveries endpoints to exfiltrate HMAC signing secrets and delivery payloads, enabling forged webhook events against victim organizations.

