Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with legacy non-expiring keys to list, create, and delete webhooks despite explicit organizational policy requiring key expiration.
Published: 2026-06-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo before version 12.128.2 contains an authorization bypass flaw in its webhook management APIs. The function responsible for checking permissions, checkWebhookPermission, skips a call to apikeyHasOrgRightWithPolicy, so requests made with legacy, non‑expiring API keys are not subjected to the organization policy that requires key expiration. As a result, an attacker who possesses such a legacy key can list, create, or delete webhooks regardless of the policy, effectively gaining elevated control over webhook configuration within the application.

Affected Systems

The affected product is Capgo, and the vulnerability exists in all releases prior to 12.128.2. No other versions or products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers must obtain or already hold a legacy, non‑expiring API key; once they have such a key, they can remotely bypass the organization’s webhook policy, allowing unauthorized creation or deletion of webhooks. The risk is contingent on the presence of legacy keys and the sensitivity of the data or actions that can be performed via webhooks.

Generated by OpenCVE AI on June 20, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to apply the authorization fix.
  • Revoke all legacy non‑expiring API keys and issue new keys that comply with the organization’s key‑expiration policy.
  • Re‑enable the require_apikey_expiration policy enforcement in Capgo configuration or database to block legacy key usage.

Generated by OpenCVE AI on June 20, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with legacy non-expiring keys to list, create, and delete webhooks despite explicit organizational policy requiring key expiration.
Title Capgo - Policy Enforcement Bypass in Webhook Management Endpoints via Non-Expiring API Keys
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:46.103Z

Reserved: 2026-06-20T12:49:17.829Z

Link: CVE-2026-56295

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T18:00:09Z

Weaknesses