CVE Catalog

CVE-2026-56229

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile — higher than 12% of all known CVEs

Summary

Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched app_id and job_id combination.

Risk Assessment

This vulnerability allows access to sensitive build information, including logs, metadata, and potentially credentials, which could lead to serious security breaches within the organization.

Recommendation

It is recommended to update Capgo to version 12.128.2 or later and to review and strengthen the API key management policy to restrict access to sensitive data.

Original NVD description (English source)

Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched app_id and job_id combination. Limited API keys restricted to a single app can retrieve build status and logs from other apps by providing an authorized app_id while using a job_id from an unauthorized app, exposing sensitive build information including logs, metadata, and potentially credentials.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS