CVE-2026-56225
Deferred Deferred - Pending Action
Authorization Bypass in Capgo API Key Management

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: VulnCheck

Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs and not for limited_to_apps, so an app-scoped key can enumerate, update, and delete sibling API keys belonging to the same account that are outside its declared app scope, enabling tampering with account-level credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56225
EUVD
EUVD-2026-38428
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56225 is an authorization bypass vulnerability in Capgo versions before 12.128.2 affecting its public API key management handlers (get, put, delete, post).

API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs and not for limited_to_apps. This means an app-scoped key can access, enumerate, update, and delete sibling API keys belonging to the same account that are outside its declared app scope.

This flaw enables tampering with account-level credentials, allowing unauthorized management of API keys beyond the intended app restrictions.

Impact Analysis

This vulnerability allows an attacker who has an app-limited all API key to enumerate, modify, or delete sibling API keys outside the intended app scope within the same account.

Such unauthorized access can lead to tampering with account-level credentials, disruption of workflows, and potentially broader account compromise.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Capgo to version 12.128.2 or later, where the issue has been patched.

Additionally, review and restrict API keys that use mode=all but are limited to a single app via limited_to_apps, as these keys are vulnerable to authorization bypass.

Compliance Impact

The vulnerability in Capgo allows unauthorized enumeration, modification, and deletion of API keys beyond their intended app scope, leading to potential tampering with account-level credentials.

Such unauthorized access and privilege escalation could result in exposure or alteration of sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA that mandate strict access controls and protection of personal and sensitive information.

Therefore, this vulnerability could negatively impact compliance with these regulations by enabling improper privilege management and access control failures.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56225. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart