Description
Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails to validate that keys are securely generated and bound to the authenticated user. An attacker can tamper with the API key parameter in the generation request and supply arbitrary values, generating custom API keys without proper authorization, which can lead to unauthorized access to protected endpoints.
Published: 2026-06-24
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions prior to 12.128.2 contain a broken authentication flaw in the API key creation path. The backend exposes the key in the frontend request and does not verify that the supplied key belongs to the authenticated user. An attacker can modify the key field in this request, inject an arbitrary value, and cause the server to store a custom key for the victim’s account, granting access to all protected endpoints that require that key.

Affected Systems

The vulnerability affects Capgo installations using any version before 12.128.2. The product is identified as Capgo from the vendor Capgo, and no further specific version details are provided beyond the release threshold mentioned in the advisory.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. Because the exploit does not rely on authentication, it can be carried out remotely via crafted requests. EPSS data is unavailable, and the issue is not yet listed in CISA’s KEV catalog. The absence of server‑side key validation allows an attacker to repeatedly generate unauthorized keys without detection, keeping the risk high until a patch is applied.

Generated by OpenCVE AI on June 24, 2026 at 13:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Capgo v12.128.2 or later, which implements proper server‑side authentication checks for API key generation.
  • Verify that the server validates the API key payload so that only the authenticated user can be bound to a newly created key.
  • Protect or disable the key‑generation endpoint for unauthenticated users and apply rate limiting to reduce the possibility of automated exploit attempts.

Generated by OpenCVE AI on June 24, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails to validate that keys are securely generated and bound to the authenticated user. An attacker can tamper with the API key parameter in the generation request and supply arbitrary values, generating custom API keys without proper authorization, which can lead to unauthorized access to protected endpoints.
Title Capgo - Unauthenticated API Key Generation via Client-Side Parameter Manipulation
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cap-go Cap-go
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T14:57:00.863Z

Reserved: 2026-06-19T21:50:06.625Z

Link: CVE-2026-56237

cve-icon Vulnrichment

Updated: 2026-06-24T14:55:08.096Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:00:09Z

Weaknesses