Description
Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.
Published: 2026-06-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cap-go before version 12.128.2 contains an information‑disclosure flaw in the OPTIONS /build/upload/:jobId/* endpoint that lets an unauthenticated user determine whether a specific builder job ID exists. By sending requests to this endpoint and observing differences in the responses, an attacker can systematically enumerate valid job identifiers. The direct impact is the exposure of job IDs, which may aid a more advanced attack or enable resource‑consumption attacks, but the vulnerability does not provide code execution or direct access to job contents.

Affected Systems

The Cap‑go project, specifically the Cap‑go Capgo application prior to version 12.128.2, is affected. No other vendors or products are listed in the advisory.

Risk and Exploitability

The CVSS base score of 6.9 indicates a moderate severity. No EPSS data is available and the issue is not listed in CISA’s KEV catalog. The likely attack vector is sending unauthenticated OPTIONS requests to the exposed endpoint, as the endpoint is publicly accessible and does not require authentication. This inference follows from the endpoint description and the fact that no credentials are mentioned. Because the probe can be repeated without restriction, an attacker could generate sustained traffic to exhaust resources or use the enumerated identifiers to target downstream components for more damaging attacks.

Generated by OpenCVE AI on June 21, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cap‑go to version 12.128.2 or later to eliminate the vulnerability.
  • If an upgrade is not possible, restrict access to the /build/upload endpoint by firewall rules, VPN access, or a reverse‑proxy that blocks unauthenticated OPTIONS requests.
  • Monitor network traffic for frequent OPTIONS requests to detect probing attempts and apply rate‑limiting or alerting as needed.

Generated by OpenCVE AI on June 21, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.
Title Cap-go - Job Existence Oracle via Unauthenticated OPTIONS /build/upload/:jobId/*
Weaknesses CWE-203
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T17:56:30.537Z

Reserved: 2026-06-20T12:59:07.917Z

Link: CVE-2026-56316

cve-icon Vulnrichment

Updated: 2026-06-24T17:55:54.760Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:26Z

Weaknesses