Description
Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to the PostgREST/RLS plane to access protected resources.
Published: 2026-06-23
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows attackers to send plaintext API keys to the PostgREST/RLS plane even when hashed-key enforcement is enabled, bypassing organizational restrictions and enabling unauthorized access to protected resources. This is an authentication bypass (CWE‑288) that compromises the integrity and confidentiality of any data accessed through Capgo.

Affected Systems

Capgo prior to version 12.128.2 is vulnerable. Users operating Capgo installations below 12.128.2, especially those relying on PostgREST/RLS plane for API key enforcement, are susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6, indicating high severity. No EPSS data is available and the flaw is not listed in the CISA KEV catalog. Although the attack requires remote HTTP access to the Capgo service and knowledge of a valid API key, the ability to bypass enforcement grants attackers immediate unauthorized access, making it a compelling target for attackers.

Generated by OpenCVE AI on June 23, 2026 at 13:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Capgo version 12.128.2 or later, which removes the bypass.
  • Verify that the enforce_hashed_api_keys setting is enabled on the PostgREST/RLS plane and that it is properly validated.
  • Conduct a review of access logs to detect any use of plaintext API keys and apply network restrictions to limit access to the PostgREST/RLS endpoint to trusted sources.
  • As an interim measure, disable or remove the capgkey header acceptance logic until the update is applied.

Generated by OpenCVE AI on June 23, 2026 at 13:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to the PostgREST/RLS plane to access protected resources.
Title Capgo - Hashed API Key Enforcement Bypass via PostgREST/RLS Plane
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T14:33:18.721Z

Reserved: 2026-06-19T21:53:16.000Z

Link: CVE-2026-56243

cve-icon Vulnrichment

Updated: 2026-06-23T14:33:14.459Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T13:30:03Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel