Description
Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header to disable limited key scoping and execute requests using the main API key context instead of restricted subkey permissions.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a weak parsing in the x‑limited‑key‑id header that allows an attacker to submit malformed, zero, or duplicate header values causing the server to treat the value as NaN or falsy. This bypasses the intended subkey enforcement so that requests are executed under the main API key context instead of the restricted subkey permissions, effectively elevating the attacker’s privileges.

Affected Systems

Capgo deployments running any version prior to 12.128.2 are affected. The only affected product is the Capgo server component; newer releases are not impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw over the network by sending a crafted HTTP request with a malicious x‑limited‑key‑id header, enabling them to use the main API key and access sensitive data or services.

Generated by OpenCVE AI on June 22, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later to apply the header parsing fix.
  • As a temporary measure, enforce strict validation of the x‑limited‑key‑id header on any reverse proxy or frontend, rejecting malformed, zero‑length, or duplicate values before they reach the Capgo backend.
  • Monitor API access logs for sudden or unexpected use of the main API key and configure alerting to detect potential abuse of subkey enforcement bypass.

Generated by OpenCVE AI on June 22, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header to disable limited key scoping and execute requests using the main API key context instead of restricted subkey permissions.
Title Capgo - Subkey Enforcement Bypass via x-limited-key-id Header Parsing
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T21:04:46.832Z

Reserved: 2026-06-20T12:53:19.893Z

Link: CVE-2026-56306

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:45:04Z

Weaknesses
  • CWE-20

    Improper Input Validation