CVE-2026-56225
HighCVSS 8.3Summary
Capgo before version 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs, allowing tampering with account-level credentials.
Risk Assessment
This vulnerability allows apps with scoped access to enumerate, update, and delete sibling API keys belonging to the same account that are outside their declared app scope, potentially leading to unauthorized access and data manipulation.
Recommendation
It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability. Additionally, conducting an audit of API keys and their permissions is advisable to ensure security.
Original NVD description (English source)
Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs and not for limited_to_apps, so an app-scoped key can enumerate, update, and delete sibling API keys belonging to the same account that are outside its declared app scope, enabling tampering with account-level credentials.

