CVE-2026-56243
HighCVSS 8.1Summary
Capgo before version 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to the PostgREST/RLS plane to access protected resources.
Risk Assessment
This vulnerability poses a serious risk to organizations as it allows unauthorized access to protected resources, potentially leading to data breaches or other security incidents.
Recommendation
It is recommended to upgrade to Capgo version 12.128.2 or later and to review security configurations to ensure that API keys are properly hashed and not accepted in plaintext.
Original NVD description (English source)
Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to the PostgREST/RLS plane to access protected resources.

