Description
Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine permission levels, significantly increasing the actionability of compromised credentials.
Published: 2026-06-30
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in Capgo’s unauthenticated RPC functions get_user_id and get_org_perm_for_apikey, which can be invoked without authentication. These functions act as data‑oracles: they reveal whether an API key is valid and, if so, expose the UUID of the user or identities of the organization’s applications. Because the functions are executed under the security definer role, the information returned is not protected from callers who merely know a public API key. This is a classic Information Disclosure weakness (CWE‑200) that significantly expands the attack surface for compromised keys, allowing an attacker to enumerate users, apps and permission sets. Affected systems are deployments of Capgo control plane that run a version earlier than 12.128.2. The advisory specifically mentions Capgo before 12.128.2 contains the problem; any installation of that code base on a publicly exposed API endpoint is vulnerable. The vulnerability is independent of user authentication, relying only on the presence of a valid public API key. The CVSS v3.1 score of 8.7 indicates a high severity. Because the EPSS score is unavailable, the exact current exploit likelihood is unknown; however, the exploitability is straightforward: an unauthenticated user can remotely call the RPC endpoints, validate leaked keys and enumerate internal data. The vulnerability has not yet been catalogued in the CISA KEV list, but its ability to confirm credential validity makes it potentially actionable for threat actors seeking to pivot laterally or gather intelligence.

Affected Systems

Capgo control plane versions earlier than 12.128.2 are susceptible to this flaw; any instance of that software exposed to the network is vulnerable.

Risk and Exploitability

With a CVSS score of 8.7, the flaw is considered high‑severity. Attackers can leverage the insecure RPC endpoints by only possessing a public API key, enabling them to confirm key validity, enumerate users, applications, and determine permission levels without any authentication. The lack of an EPSS score suggests the exploitation probability is not quantified, yet the simplicity of the attack path means it is likely to be actively exploited once discovery is made. The flaw is not listed in the CISA KEV catalog, but the practical impact on credential compromise elevates the urgency of mitigation.

Generated by OpenCVE AI on June 30, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or newer, which removes the unauthenticated RPC functions.
  • If upgrading is not immediately possible, modify the RPC service configuration so that get_user_id and get_org_perm_for_apikey require authenticated and authorized callers only.
  • Continuously monitor API logs for unexpected calls to these RPC endpoints and alert on any unauthorized activity.

Generated by OpenCVE AI on June 30, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine permission levels, significantly increasing the actionability of compromised credentials.
Title Capgo - Unauthenticated API Key Validity and Permission Oracle via RPC Functions
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:29.294Z

Reserved: 2026-06-20T12:49:17.830Z

Link: CVE-2026-56300

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor