CVE Catalog

CVE-2026-56280

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile - higher than 17% of all known CVEs

Summary

Cap-go before version 12.128.2 contains a privilege inversion vulnerability in GET /build/logs/:jobId that allows read-only API key holders to cancel running native builds. The endpoint registers an abort listener on the SSE stream that unconditionally invokes cancelBuildOnDisconnect() using the privileged server-side BUILDER_API_KEY.

Risk Assessment

Attackers with read-only API keys can repeatedly disrupt native build operations and CI/CD workflows, leading to significant disruptions in the organization's operations.

Recommendation

It is recommended to upgrade to version 12.128.2 or later to eliminate this vulnerability and review API key permissions to restrict access to critical operations.

Original NVD description (English source)

Cap-go before 12.128.2 contains a privilege inversion vulnerability in GET /build/logs/:jobId that allows read-only API key holders to cancel running native builds. The endpoint registers an abort listener on the SSE stream that unconditionally invokes cancelBuildOnDisconnect() using the privileged server-side BUILDER_API_KEY when clients disconnect, bypassing the app.build_native permission check required by the explicit POST /build/cancel/:jobId endpoint. Attackers with read-only API keys can repeatedly disrupt native build operations and CI/CD workflows by opening the log stream and dropping the connection.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS