CVE-2026-56232
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
Capgo versions before 12.128.2 fail to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via the x-limited-key-id header in the middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys.
Risk Assessment
The organization may be exposed to unauthorized access to resources, as all downstream route handlers may use the unrestricted parent key instead of the appropriate subkey.
Recommendation
It is recommended to update Capgo to version 12.128.2 or later to ensure proper enforcement of subkey constraints.
Original NVD description (English source)
Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.

