CVE Catalog

CVE-2026-56232

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

Capgo versions before 12.128.2 fail to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via the x-limited-key-id header in the middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys.

Risk Assessment

The organization may be exposed to unauthorized access to resources, as all downstream route handlers may use the unrestricted parent key instead of the appropriate subkey.

Recommendation

It is recommended to update Capgo to version 12.128.2 or later to ensure proper enforcement of subkey constraints.

Original NVD description (English source)

Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS