Description
Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited key ID to bypass authorization checks and access unauthorized cross-tenant resources across multiple API endpoints.
Published: 2026-06-30
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions prior to 12.128.2 contain a broken object level authorization flaw in the middlewareKey component. The vulnerability stems from the middleware accepting a user‑controlled x‑limited‑key‑id header without verifying that the key belongs to the authenticated user. As a result, any authenticated user may supply another tenant’s limited key ID and bypass authorization checks, allowing them to access resources that belong to a different tenant. The primary impact is the unauthorized disclosure or manipulation of cross‑tenant data.

Affected Systems

The affected product is Capgo, a cloud service for application data synchronization, with versions earlier than 12.128.2 vulnerable to this flaw. Administrators should review all Capgo deployments that have not applied the 12.128.2 patch or later.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, but the EPSS score is not available so the exact likelihood of exploitation cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. Attackers must be authenticated and must be able to supply custom HTTP headers, so the likely attack vector is a legitimate user account misused to inject a different tenant’s key ID. Once exploited, the attacker can read or modify cross‑tenant resources across multiple API endpoints.

Generated by OpenCVE AI on June 30, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or newer to apply the vendor’s fix, which adds proper ownership validation to the x‑limited‑key‑id header.
  • If upgrading is not immediately possible, configure the service or a reverse proxy to reject or sanitize the x‑limited‑key‑id header when the provided key ID does not belong to the authenticated user, effectively reinstituting the missing ownership check.
  • Apply a general best‑practice code review and defensive validation to ensure that all object‑level authorization checks reference the authenticated user’s tenant ID, mitigating similar CWE‑639–type vulnerabilities in the future.

Generated by OpenCVE AI on June 30, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited key ID to bypass authorization checks and access unauthorized cross-tenant resources across multiple API endpoints.
Title Capgo - Broken Object Level Authorization via x-limited-key-id Header
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:23.538Z

Reserved: 2026-06-19T21:46:58.631Z

Link: CVE-2026-56230

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key