CVE Catalog

CVE-2026-56319

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile — higher than 8% of all known CVEs

Summary

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps.

Risk Assessment

This vulnerability may lead to a breach of tenant isolation, allowing attackers to gain access to information about applications that are outside their scope. This could result in unauthorized access to data and resources.

Recommendation

It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability. Additionally, it is advisable to review and strengthen API access control mechanisms.

Original NVD description (English source)

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS