Capgo versions earlier than 12.128.2 contain an authorization bypass that lets credentials capable of accessing an application’s /build/status and /build/logs endpoints retrieve build job details for other applications. By explicitly providing a valid app_id combined with a job_id belonging to a different app, an attacker can view logs, metadata, and other sensitive data that are normally protected. The flaw is described by CWE‑639 (Authorization Bypass Through User Controlled Key). The primary consequence is information disclosure; attackers gain insight into build processes and potentially credentials, but do not execute arbitrary code.

The vulnerability affects Capgo installations running any version before 12.128.2. This includes deployments that use limited API keys restricted to a single application but still provide access to the /build/status and /build/logs APIs. All users who can authenticate with an app‑level key are potentially at risk, regardless of the intended scope of that key.

With a CVSS score of 7.1 the issue is rated as high severity. The EPSS score is not available, but the lack of a KEV listing does not downgrade the inherent risk of an authorization bypass. The likely attack vector is through the exposed HTTP endpoints; an adversary needs network reach to the Capgo service and an authenticated API key. Once authenticated, the mismatch between app_id and job_id can be trivially crafted to retrieve data from other apps, making exploitation technically straightforward.