Description
Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits. Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resources like app listings and other protected endpoints.
Published: 2026-06-20
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo servers before version 12.128.2 allow an attacker to increase privileges by creating an unrestricted API key through the POST /functions/v1/apikey endpoint. An app-limited key that has a restricted scope can set empty limits during key creation, resulting in a new key with org‑wide access to resources such as app listings and protected endpoints. The vulnerability is a classic privilege escalation flaw (CWE‑269).

Affected Systems

Capgo acts as the affected product. All installations running any earlier version than 12.128.2 are vulnerable. If a user is running a Capgo deployment based on version 12.128.2 or later, the issue is mitigated.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity with potential for extensive impact. EPSS data is not provided, but the lack of exploitation records and the absence of a listing in the CISA KEV catalog suggest that active exploitation may be limited so far. Nonetheless, the vulnerability can be exploited by any actor who has obtained an app‑limited key, a state that can be achieved through phishing or credential compromise. The attacker can then request a new key with no limits, effectively hijacking org‑wide administrative capabilities.

Generated by OpenCVE AI on June 20, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or newer, which removes the flaw in the key‑creation endpoint.
  • If upgrading immediately is not feasible, block or restrict the ability to create API keys with empty limits for app‑limited keys (e.g., enforce non‑empty limits or disable the endpoint for app‑limited users).
  • Regularly audit and revoke any app‑limited keys, especially those that may have been compromised, and regenerate new keys as needed.

Generated by OpenCVE AI on June 20, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits. Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resources like app listings and other protected endpoints.
Title Capgo - Scope Escalation via API Key Creation in /functions/v1/apikey
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T00:14:38.984Z

Reserved: 2026-06-19T21:43:24.737Z

Link: CVE-2026-56216

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T01:30:05Z

Weaknesses
  • CWE-269

    Improper Privilege Management