CVE Catalog

CVE-2026-56230

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

The vulnerability in Capgo before version 12.128.2 is a broken object level authorization in the middlewareKey() function. It accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited key ID to bypass authorization checks and access unauthorized cross-tenant resources across multiple API endpoints.

Risk Assessment

The risk involves unauthorized access to data and resources of other tenants, potentially leading to confidentiality and integrity breaches, as well as legal and reputational consequences.

Recommendation

Immediately upgrade Capgo to version 12.128.2 or later, which includes a fix for this vulnerability. Additionally, review authorization configurations and implement key ownership validation mechanisms.

Original NVD description (English source)

Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited key ID to bypass authorization checks and access unauthorized cross-tenant resources across multiple API endpoints.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS