Description
Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation.
Published: 2026-06-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo before 12.128.2 contains an information disclosure flaw in the GET /statistics/app/:app_id endpoint. When an app‑limited API key is used, the server replies with different error codes based on the target app ID: a 500 error (PGRST116) indicates that the app exists but is out of the key's scope, while a 401 error signals that the app does not exist. Because of this differential response, an attacker can enumerate valid app IDs that belong to other tenants, effectively breaking tenant isolation and exposing internal identifiers.

Affected Systems

All deployments of Capgo with a server version earlier than 12.128.2 are vulnerable. The issue manifests in the public statistics route and can be triggered by any authenticated user possessing an app‑limited API key. The product vendor is Capgo.

Risk and Exploitability

The CVSS base score of 5.3 classifies the flaw as a medium‑severity information‑disclosure vulnerability. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. The attack vector is a remote, network‑based HTTP GET request to the statistics endpoint; an attacker only needs a legitimate API key scoped to a single tenant. By observing the differing error responses, enumeration of all sibling app IDs can be performed. This can give an attacker knowledge of the tenant’s internal resource identifiers, potentially leading to further attacks if additional privileged actions are available.

Generated by OpenCVE AI on June 20, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Capgo 12.128.2 or later, where the endpoint no longer reveals existence information.
  • Restrict the statistics endpoint so that only administrators or the owning tenant can access it and ensure app‑limited keys receive a uniform error response (e.g., always 404 or 403) regardless of whether the ID exists.
  • Implement rate limiting or access controls on the GET /statistics/app/:app_id route to reduce enumeration attempts.

Generated by OpenCVE AI on June 20, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation.
Title Capgo - App Existence Oracle via GET /statistics/app/:app_id
Weaknesses CWE-203
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:48.150Z

Reserved: 2026-06-20T12:59:07.917Z

Link: CVE-2026-56319

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T17:30:08Z

Weaknesses