Description
Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get_orgs_v6 to retrieve organization membership and management email PII.
Published: 2026-06-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Capgo service before 12.128.2 includes an unauthenticated security‑definer RPC function get_identity_apikey_only that returns the user identifier for any supplied API key. This creates an API key validity oracle and allows an attacker to discover which keys are active and to link those keys to specific user accounts. By subsequently calling other exposed RPC endpoints such as get_orgs_v6, a malicious actor can obtain organization membership information and personal email addresses, amplifying the potential data exposure.

Affected Systems

Affected systems include the Capgo application running under the Capgo:Capgo vendor designation. All versions released before 12.128.2 are vulnerable. No additional version details are available beyond the stated cutoff.

Risk and Exploitability

The vulnerability scores a CVSS of 8.7, indicating a high‑severity issue. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Because the RPC is callable without authentication, it can be accessed by any user who can reach the Capgo service over the network. Attackers can exploit this functionality to enumerate valid API keys, map them to user identities, and then chain the findings into other exposed RPC calls, resulting in a breach of confidentiality for user identifiers and potentially other PII.

Generated by OpenCVE AI on June 21, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or newer.
  • Restrict or disable the get_identity_apikey_only RPC through network or application controls.
  • Monitor RPC usage and enforce strict API key management policies.

Generated by OpenCVE AI on June 21, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get_orgs_v6 to retrieve organization membership and management email PII.
Title Capgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T12:19:38.826Z

Reserved: 2026-06-19T21:53:16.000Z

Link: CVE-2026-56242

cve-icon Vulnrichment

Updated: 2026-06-22T12:19:27.513Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:31Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor