CVE-2026-56299
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk31th percentile — higher than 31% of all known CVEs
Summary
Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint that allows unauthenticated attackers to trigger consistent 500 errors.
Risk Assessment
Remote attackers can send OPTIONS requests to bypass authentication middleware, enabling trivial request flooding and denial of service.
Recommendation
It is recommended to upgrade to version 12.128.2 or later to mitigate this vulnerability and implement additional safeguards against denial of service attacks.
Original NVD description (English source)
Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send OPTIONS requests to bypass authentication middleware and invoke tusProxy logic with invalid credentials, enabling trivial request flooding and denial of service.

