CVE-2026-56216
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits.
Risk Assessment
Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resources like app listings and other protected endpoints.
Recommendation
It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability and to monitor API key usage for potential abuse.
Original NVD description (English source)
Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits. Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resources like app listings and other protected endpoints.

