CVE Catalog

CVE-2026-56233

HighCVSS 8.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

36th percentile — higher than 36% of all known CVEs

Summary

Capgo before version 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling access to internal administrative endpoints with the privileged BUILDER_API_KEY header and resulting in server-side privilege escalation.

Risk Assessment

The risk for the organization includes unauthorized access to sensitive administrative functions and potential server takeover by an attacker, which could lead to data breaches or service disruption.

Recommendation

It is recommended to immediately upgrade Capgo to version 12.128.2 or later, which fixes this vulnerability. Additionally, review and restrict build user permissions and monitor logs for suspicious access attempts.

Original NVD description (English source)

Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling access to internal administrative endpoints with the privileged BUILDER_API_KEY header and resulting in server-side privilege escalation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS