Impact
The vulnerability lies in Capgo’s unauthenticated RPC functions get_user_id and get_org_perm_for_apikey, which can be invoked without authentication. These functions act as data‑oracles: they reveal whether an API key is valid and, if so, expose the UUID of the user or identities of the organization’s applications. Because the functions are executed under the security definer role, the information returned is not protected from callers who merely know a public API key. This is a classic Information Disclosure weakness (CWE‑200) that significantly expands the attack surface for compromised keys, allowing an attacker to enumerate users, apps and permission sets. Affected systems are deployments of Capgo control plane that run a version earlier than 12.128.2. The advisory specifically mentions Capgo before 12.128.2 contains the problem; any installation of that code base on a publicly exposed API endpoint is vulnerable. The vulnerability is independent of user authentication, relying only on the presence of a valid public API key. The CVSS v3.1 score of 8.7 indicates a high severity. Because the EPSS score is unavailable, the exact current exploit likelihood is unknown; however, the exploitability is straightforward: an unauthenticated user can remotely call the RPC endpoints, validate leaked keys and enumerate internal data. The vulnerability has not yet been catalogued in the CISA KEV list, but its ability to confirm credential validity makes it potentially actionable for threat actors seeking to pivot laterally or gather intelligence.
Affected Systems
Capgo control plane versions earlier than 12.128.2 are susceptible to this flaw; any instance of that software exposed to the network is vulnerable.
Risk and Exploitability
With a CVSS score of 8.7, the flaw is considered high‑severity. Attackers can leverage the insecure RPC endpoints by only possessing a public API key, enabling them to confirm key validity, enumerate users, applications, and determine permission levels without any authentication. The lack of an EPSS score suggests the exploitation probability is not quantified, yet the simplicity of the attack path means it is likely to be actively exploited once discovery is made. The flaw is not listed in the CISA KEV catalog, but the practical impact on credential compromise elevates the urgency of mitigation.
OpenCVE Enrichment