CVE-2026-56230
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
The vulnerability in Capgo before version 12.128.2 is a broken object level authorization in the middlewareKey() function. It accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited key ID to bypass authorization checks and access unauthorized cross-tenant resources across multiple API endpoints.
Risk Assessment
The risk involves unauthorized access to data and resources of other tenants, potentially leading to confidentiality and integrity breaches, as well as legal and reputational consequences.
Recommendation
Immediately upgrade Capgo to version 12.128.2 or later, which includes a fix for this vulnerability. Additionally, review authorization configurations and implement key ownership validation mechanisms.
Original NVD description (English source)
Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited key ID to bypass authorization checks and access unauthorized cross-tenant resources across multiple API endpoints.

