Description
Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these addresses with error responses disclosed to users.
Published: 2026-06-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Capgo before version 12.128.2 and allows administrators to configure webhooks whose URLs are not properly validated. This permits a server‑side request forgery that can target loopback and internal IP addresses. An attacker who can trigger the webhook can cause the Capgo backend to make outbound requests to localhost or 127.0.0.1, with the resulting error messages exposed to users. The flaw can lead to information disclosure and potential control of internal services.

Affected Systems

Capgo core application, versions older than 12.128.2 are affected.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires the adversary to be able to trigger a webhook, normally performed by an organization admin. Once triggered, the backend performs outbound HTTP requests to the supplied URL, which can reach internal hosts; the response body is returned to the user, allowing access to sensitive internal information. The lack of documented public exploitation suggests limited public use, but the flaw remains exploitable by privileged users within a Capgo deployment.

Generated by OpenCVE AI on June 20, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to apply the server‑side request forgery fix.
  • Restrict webhook URLs so that only external, authenticated endpoints are allowed and validate that the URL does not resolve to loopback or private IP ranges.
  • Configure firewall or network policies to block outbound requests from the Capgo server to internal addresses.

Generated by OpenCVE AI on June 20, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these addresses with error responses disclosed to users.
Title Capgo - Server-Side Request Forgery via Webhook URL Validation
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T12:45:02.541Z

Reserved: 2026-06-19T21:46:58.630Z

Link: CVE-2026-56227

cve-icon Vulnrichment

Updated: 2026-06-22T12:44:44.789Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:15:07Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)