CVE Catalog

CVE-2026-56225

HighCVSS 8.3
Published: Updated: Translated: NVD NIST

Summary

Capgo before version 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs, allowing tampering with account-level credentials.

Risk Assessment

This vulnerability allows apps with scoped access to enumerate, update, and delete sibling API keys belonging to the same account that are outside their declared app scope, potentially leading to unauthorized access and data manipulation.

Recommendation

It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability. Additionally, conducting an audit of API keys and their permissions is advisable to ensure security.

Original NVD description (English source)

Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs and not for limited_to_apps, so an app-scoped key can enumerate, update, and delete sibling API keys belonging to the same account that are outside its declared app scope, enabling tampering with account-level credentials.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS