Impact
Capgo versions prior to 12.128.2 contain a broken object level authorization flaw in the middlewareKey component. The vulnerability stems from the middleware accepting a user‑controlled x‑limited‑key‑id header without verifying that the key belongs to the authenticated user. As a result, any authenticated user may supply another tenant’s limited key ID and bypass authorization checks, allowing them to access resources that belong to a different tenant. The primary impact is the unauthorized disclosure or manipulation of cross‑tenant data.
Affected Systems
The affected product is Capgo, a cloud service for application data synchronization, with versions earlier than 12.128.2 vulnerable to this flaw. Administrators should review all Capgo deployments that have not applied the 12.128.2 patch or later.
Risk and Exploitability
The CVSS score of 8.7 indicates high severity, but the EPSS score is not available so the exact likelihood of exploitation cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. Attackers must be authenticated and must be able to supply custom HTTP headers, so the likely attack vector is a legitimate user account misused to inject a different tenant’s key ID. Once exploited, the attacker can read or modify cross‑tenant resources across multiple API endpoints.
OpenCVE Enrichment