Description
Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.
Published: 2026-06-24
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Capgo’s middlewareKey function, where subkeys transmitted via the x-limited-key-id header are not correctly validated against limited_to_orgs and limited_to_apps constraints. This omission allows an attacker to reference a subkey that they control, causing all downstream requests to be processed with the parent key rather than the intended scoped subkey. The result is a loss of confidentiality and integrity for any data protected by the parent key, and can lead to unauthorized data access or manipulation across the application. Cybersecurity weakness identified as CWE‑863, a subroutine authorization issue.

Affected Systems

Capgo server application versions prior to 12.128.2 are vulnerable. The issue affects the Capgo product, specifically its middleware handling of API key scoping. Users deploying Capgo 12.128.1 or earlier on any configuration that accepts external HTTP requests are at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, suggesting significant potential impact if exploited. The EPSS score is not available, so the current estimate of exploitation probability is unknown, but the vulnerability’s nature implies a direct, in‑band exploitation possible by sending crafted HTTP headers. The issue is not listed in the CISA KEV catalog, yet its high CVSS implies that organizations should treat it as a critical flaw. Attackers would likely use standard HTTP clients to send the x-limited-key-id header, bypassing you authorization controls without additional privileges.

Generated by OpenCVE AI on June 24, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or newer to include the fixed enforcement of subkey scopes.
  • Verify that the middlewareKey function now rejects any x-limited-key-id header values that do not belong to the authenticated organization or application.
  • Restrict or eliminate the use of the x-limited-key-id header in production deployments, ensuring that only system‑controlled subkeys are generated and used internally.

Generated by OpenCVE AI on June 24, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.
Title Capgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T12:14:32.062Z

Reserved: 2026-06-19T21:50:06.624Z

Link: CVE-2026-56232

cve-icon Vulnrichment

Updated: 2026-06-24T12:14:28.536Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T14:00:07Z

Weaknesses