Description
Capgo before 12.128.2 contains a broken object level authorization (BOLA) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. The handlers authorize the request based only on the attacker-controlled app_id supplied in the request body and never verify that the jobId in the URL belongs to that app_id (or the same tenant/org) before issuing privileged builder commands with the server-held builder API key. An authenticated user with the app.build_native permission for any app they control can start or cancel arbitrary builder jobs belonging to other tenants by supplying a victim jobId, resulting in cross-tenant build sabotage (denial of service), unauthorized compute actions, and potential billing impact.
Published: 2026-06-24
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions older than 12.128.2 allow an authenticated user possessing the app.build_native permission to exploit a broken object‑level authorization. The POST /build/start/:jobId and POST /build/cancel/:jobId routes verify the supplied app_id only and do not confirm that the jobId in the URL belongs to that app or tenant. Consequently, an attacker can start or cancel builder jobs owned by other tenants, leading to denial of service, unauthorized compute operations, and possible billing discrepancies. This vulnerability represents a CWE‑285 type of flaw involving improper authorization checks.

Affected Systems

All Capgo deployments running a release older than 12.128.2 are affected, regardless of the specific host or cloud platform. The vulnerability impacts the server‑side API handling of build job control operations.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity. EPSS is not available, and the issue is not listed in the CISA KEV catalog. Exploitation requires that the attacker already has valid credentials with the app.build_native privilege, making the threat contingent on authenticated, non‑admin accounts. Once authenticated, the attacker can instruct the server to execute privileged builder commands on arbitrary tenant jobs, providing a direct path to denial of service and potential financial exploitation.

Generated by OpenCVE AI on June 24, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or newer on all affected instances.
  • Restrict the app.build_native permission to only users or roles that truly require build capabilities, revoking it for others.
  • Ensure that the API verifies the jobId against the app_id and tenant context before performing build start or cancel actions; apply this check as a temporary workaround until the official patch is applied.

Generated by OpenCVE AI on June 24, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a broken object level authorization (BOLA) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. The handlers authorize the request based only on the attacker-controlled app_id supplied in the request body and never verify that the jobId in the URL belongs to that app_id (or the same tenant/org) before issuing privileged builder commands with the server-held builder API key. An authenticated user with the app.build_native permission for any app they control can start or cancel arbitrary builder jobs belonging to other tenants by supplying a victim jobId, resulting in cross-tenant build sabotage (denial of service), unauthorized compute actions, and potential billing impact.
Title Capgo - Broken Object Level Authorization in Build Job Control via jobId Parameter
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cap-go Cap-go
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T13:26:14.274Z

Reserved: 2026-06-19T21:46:58.631Z

Link: CVE-2026-56231

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses