Description
Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhook_deliveries endpoints to exfiltrate HMAC signing secrets and delivery payloads, enabling forged webhook events against victim organizations.
Published: 2026-06-19
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions prior to 12.128.2 contain a Cross‑Tenant Authorization Bypass in PostgREST endpoints that permits organization‑scoped read API keys to retrieve webhook secrets and delivery logs belonging to other tenants. An attacker possessing such a key can query “webhooks” and “webhook_deliveries” endpoints to exfiltrate HMAC signing secrets and payloads, enabling the creation of forged webhook events that can be sent to victim organizations. This exposure results in the disclosure of confidential secrets (CWE‑200) and the potential for unauthorized operation execution via fabricated webhook messages.

Affected Systems

The affected vendor is Capgo, specifically the Capgo application prior to version 12.128.2. The vulnerability applies to all deployments that expose the PostgREST API endpoints "webhooks" and "webhook_deliveries" to organization‑level read keys.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑moderate severity risk, while the EPSS score is unavailable, making the likelihood of exploitation uncertain. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires possession of a valid organization‑scoped read API key; such keys may be compromised or misused. An attacker who can obtain or guess these keys can exfiltrate secrets and forge webhook traffic to compromise other tenants, representing a serious confidentiality threat and potential for denial of service or further lateral movement.

Generated by OpenCVE AI on June 19, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to remove the cross‑tenant read access flaw
  • Limit or revoke organization‑scoped read API keys so that they cannot access webhook endpoints for other tenants
  • Audit PostgREST API usage and monitor webhook logs for suspicious activity

Generated by OpenCVE AI on June 19, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhook_deliveries endpoints to exfiltrate HMAC signing secrets and delivery payloads, enabling forged webhook events against victim organizations.
Title Capgo - Cross-Tenant Authorization Bypass via PostgREST Webhook Access
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-19T21:39:19.543Z

Reserved: 2026-06-18T15:57:20.434Z

Link: CVE-2026-56079

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T23:30:05Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor