Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs and not for limited_to_apps, so an app-scoped key can enumerate, update, and delete sibling API keys belonging to the same account that are outside its declared app scope, enabling tampering with account-level credentials.
Published: 2026-06-23
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions earlier than 12.128.2 allow an attacker to use any API key created in mode=all but restricted to a single app via limited_to_apps to enumerate, modify, or delete other sibling API keys belonging to the same account. This bypass of the intended app scope grants the attacker the ability to tamper with account‑level credentials, effectively elevating privileges and compromising the confidentiality and integrity of the account.

Affected Systems

Capgo software running any release prior to 12.128.2 is vulnerable; the issue is in the public API key management handlers for get/put/delete/post operations where the limited_to_apps restriction is ignored.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity. No EPSS score is available and it is not listed in CISA KEV, but the flaw can be exercised by any user who possesses an app‑scoped API key, a relatively easy prerequisite. An attacker can enumerate, change, or delete sibling keys without further authentication, providing a straightforward path to gain broader account access.

Generated by OpenCVE AI on June 23, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to fix the authorization bypass.
  • Revoke and regenerate all API keys that were created with limited_to_apps, ensuring that new keys have the correct scope and no global mode unless explicitly required.
  • Implement monitoring of API key creation, modification, and deletion events, and enforce least privilege by limiting keys to only the applications they need.

Generated by OpenCVE AI on June 23, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs and not for limited_to_apps, so an app-scoped key can enumerate, update, and delete sibling API keys belonging to the same account that are outside its declared app scope, enabling tampering with account-level credentials.
Title Capgo - Authorization Bypass in API Key Management via App-Limited Keys
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:04:43.526Z

Reserved: 2026-06-19T21:46:58.630Z

Link: CVE-2026-56225

cve-icon Vulnrichment

Updated: 2026-06-23T13:04:31.093Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T13:30:03Z

Weaknesses
  • CWE-269

    Improper Privilege Management