Description
Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send OPTIONS requests to bypass authentication middleware and invoke tusProxy logic with invalid credentials, enabling trivial request flooding and denial of service.
Published: 2026-06-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions released before 12.128.2 contain an authentication bypass that allows attackers to send HTTP OPTIONS requests to the /build/upload/:jobId/* endpoint. The bypass forces the tusProxy logic to process requests with invalid credentials and consistently return 500 errors. Repeating this behavior can exhaust server resources, making the application unavailable to legitimate users. This weakness corresponds to CWE-306, an authentication bypass issue.

Affected Systems

The vulnerability affects Capgo applications that are earlier than version 12.128.2, regardless of deployment environment or hosting provider.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score is unavailable, suggesting uncertainty about the exploitation likelihood. Because the bypass is triggered by unauthenticated OPTIONS requests, an attacker needs only remote network access and the ability to send HTTP traffic. The vulnerability is not listed in CISA’s KEV catalog, but its remote and unauthenticated nature makes it attractive for opportunistic denial‑of‑service attacks.

Generated by OpenCVE AI on June 21, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to receive the official fix.
  • Configure perimeter defenses such as a WAF or firewall to block unauthenticated OPTIONS requests to the /build/upload endpoint.
  • Implement monitoring of HTTP error rates and OPTIONS traffic to detect and mitigate potential denial‑of‑service attempts.

Generated by OpenCVE AI on June 21, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send OPTIONS requests to bypass authentication middleware and invoke tusProxy logic with invalid credentials, enabling trivial request flooding and denial of service.
Title Capgo - Denial of Service via Unauthenticated OPTIONS Request to /build/upload Endpoint
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T14:19:49.295Z

Reserved: 2026-06-20T12:49:17.830Z

Link: CVE-2026-56299

cve-icon Vulnrichment

Updated: 2026-06-23T14:00:26.352Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:27Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function