Impact
The Capgo service before 12.128.2 includes an unauthenticated security‑definer RPC function get_identity_apikey_only that returns the user identifier for any supplied API key. This creates an API key validity oracle and allows an attacker to discover which keys are active and to link those keys to specific user accounts. By subsequently calling other exposed RPC endpoints such as get_orgs_v6, a malicious actor can obtain organization membership information and personal email addresses, amplifying the potential data exposure.
Affected Systems
Affected systems include the Capgo application running under the Capgo:Capgo vendor designation. All versions released before 12.128.2 are vulnerable. No additional version details are available beyond the stated cutoff.
Risk and Exploitability
The vulnerability scores a CVSS of 8.7, indicating a high‑severity issue. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Because the RPC is callable without authentication, it can be accessed by any user who can reach the Capgo service over the network. Attackers can exploit this functionality to enumerate valid API keys, map them to user identities, and then chain the findings into other exposed RPC calls, resulting in a breach of confidentiality for user identifiers and potentially other PII.
OpenCVE Enrichment