CVE Catalog

CVE-2026-56295

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with legacy non-expiring keys to list, create, and delete webhooks.

Risk Assessment

The organization may be exposed to unauthorized access to webhooks, potentially leading to data leaks or unauthorized actions within the system.

Recommendation

It is recommended to update Capgo to version 12.128.2 or later and review the API key management policy to ensure expiration.

Original NVD description (English source)

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with legacy non-expiring keys to list, create, and delete webhooks despite explicit organizational policy requiring key expiration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS