Description
Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these addresses with error responses disclosed to users.
Published: 2026-06-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Capgo before version 12.128.2 and allows administrators to configure webhooks whose URLs are not properly validated. This permits a server‑side request forgery that can target loopback and internal IP addresses. An attacker who can trigger the webhook can cause the Capgo backend to make outbound requests to localhost or 127.0.0.1, with the resulting error messages exposed to users. The flaw can lead to information disclosure and potential control of internal services.

Affected Systems

Capgo core application, versions older than 12.128.2 are affected.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires the adversary to be able to trigger a webhook, normally performed by an organization admin. Once triggered, the backend performs outbound HTTP requests to the supplied URL, which can reach internal hosts; the response body is returned to the user, allowing access to sensitive internal information. The lack of documented public exploitation suggests limited public use, but the flaw remains exploitable by privileged users within a Capgo deployment.

Generated by OpenCVE AI on June 20, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to apply the server‑side request forgery fix.
  • Restrict webhook URLs so that only external, authenticated endpoints are allowed and validate that the URL does not resolve to loopback or private IP ranges.
  • Configure firewall or network policies to block outbound requests from the Capgo server to internal addresses.

Generated by OpenCVE AI on June 20, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these addresses with error responses disclosed to users.
Title Capgo - Server-Side Request Forgery via Webhook URL Validation
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:41.272Z

Reserved: 2026-06-19T21:46:58.630Z

Link: CVE-2026-56227

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T17:30:08Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)