CVE Catalog

CVE-2026-56231

HighCVSS 7.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

Capgo before 12.128.2 contains a BOLA (broken object level authorization) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. An attacker can exploit the controlled app_id to authorize requests, allowing them to start or cancel build jobs of other tenants.

Risk Assessment

The organization may be exposed to cross-tenant build sabotage, unauthorized compute actions, and potential billing issues. This allows attackers to affect the resources of other users.

Recommendation

It is recommended to upgrade to version 12.128.2 or later to fix this vulnerability. Additionally, implementing further authorization checks to ensure that the jobId in the URL belongs to the appropriate app_id is advisable.

Original NVD description (English source)

Capgo before 12.128.2 contains a broken object level authorization (BOLA) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. The handlers authorize the request based only on the attacker-controlled app_id supplied in the request body and never verify that the jobId in the URL belongs to that app_id (or the same tenant/org) before issuing privileged builder commands with the server-held builder API key. An authenticated user with the app.build_native permission for any app they control can start or cancel arbitrary builder jobs belonging to other tenants by supplying a victim jobId, resulting in cross-tenant build sabotage (denial of service), unauthorized compute actions, and potential billing impact.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS