Description
Cap-go before 12.128.2 contains a privilege inversion vulnerability in GET /build/logs/:jobId that allows read-only API key holders to cancel running native builds. The endpoint registers an abort listener on the SSE stream that unconditionally invokes cancelBuildOnDisconnect() using the privileged server-side BUILDER_API_KEY when clients disconnect, bypassing the app.build_native permission check required by the explicit POST /build/cancel/:jobId endpoint. Attackers with read-only API keys can repeatedly disrupt native build operations and CI/CD workflows by opening the log stream and dropping the connection.
Published: 2026-06-22
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cap-go prior to version 12.128.2 has a privilege inversion flaw in the GET /build/logs/:jobId endpoint. The SSE stream registers an abort listener that calls cancelBuildOnDisconnect() using the privileged BUILDER_API_KEY whenever a client disconnects, bypassing the normal build‑cancellation permission check. Read‑only API key holders can exploit this to cancel any running native build by simply opening and then disconnecting the log stream.

Affected Systems

Cap‑go (Cap-go) is affected when operating with any version older than 12.128.2. The vulnerability impacts all installations that expose the SSE build log stream and use the default /build/logs/:jobId endpoint without custom access restrictions.

Risk and Exploitability

The CVSS score of 7.1 reflects medium‑to‑high risk, and the EPSS score is not available, but the flaw is not listed in CISA KEV. The attack can be carried out remotely by any user possessing a read‑only API key, which is typically a low‑privilege credential. An attacker would issue a GET request to /build/logs/:jobId, open the SSE stream, then close the connection to trigger an unauthorized build cancellation. Because the vulnerability bypasses the explicit POST /build/cancel/:jobId permission, it effectively lifts a narrow read‑only capability to the power to terminate builds. This can disrupt continuous integration pipelines, leading to availability problems and potential downstream failures.

Generated by OpenCVE AI on June 23, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Cap‑go 12.128.2 update or newer to fix the privilege inversion flaw.
  • If an immediate update is not possible, restrict access to the /build/logs/:jobId endpoint so that only users with build‑cancel permissions can open the SSE stream or enforce a policy that removes the abort listener for read‑only API keys.
  • Monitor build processes for sudden cancellations and configure alerts for repeated aborts, which can indicate exploitation attempts.

Generated by OpenCVE AI on June 23, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Cap-go before 12.128.2 contains a privilege inversion vulnerability in GET /build/logs/:jobId that allows read-only API key holders to cancel running native builds. The endpoint registers an abort listener on the SSE stream that unconditionally invokes cancelBuildOnDisconnect() using the privileged server-side BUILDER_API_KEY when clients disconnect, bypassing the app.build_native permission check required by the explicit POST /build/cancel/:jobId endpoint. Attackers with read-only API keys can repeatedly disrupt native build operations and CI/CD workflows by opening the log stream and dropping the connection.
Title Cap-go - Privilege Inversion in Build Log Stream via SSE Disconnect
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T21:04:46.151Z

Reserved: 2026-06-20T01:51:24.919Z

Link: CVE-2026-56280

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T00:15:03Z

Weaknesses