CVE Catalog

CVE-2026-56316

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

Cap-go before version 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint. This allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies.

Risk Assessment

Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones, leading to unauthorized traffic and potential resource consumption.

Recommendation

It is recommended to upgrade to version 12.128.2 or later to mitigate this vulnerability and to monitor traffic to the endpoint for potential attack attempts.

Original NVD description (English source)

Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS