CVE-2026-56225
Capgo - Authorization Bypass in API Key Management via App-Limited Keys
CVSS Score
8.3
EPSS Score
0.0%
EPSS Percentile
0th
Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs and not for limited_to_apps, so an app-scoped key can enumerate, update, and delete sibling API keys belonging to the same account that are outside its declared app scope, enabling tampering with account-level credentials.
| CWE | CWE-269 |
| Vendor | capgo |
| Product | capgo |
| Published | Jun 23, 2026 |
| Last Updated | Jun 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for capgo capgo
Be the first to know when new high vulnerabilities affecting capgo capgo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low
Affected Versions
Capgo / Capgo
0 < 12.128.2
References
Credits
๐ Judel777