Executive Summary

CVE-2026-56229 is an authorization bypass vulnerability in Capgo versions before 12.128.2. It affects the /build/status and /build/logs endpoints, where an attacker can supply a mismatched combination of app_id and job_id to access build jobs belonging to different applications.

Specifically, even if an API key is restricted to a single app, an attacker can use the authorized app_id with a job_id from another app to retrieve sensitive build information such as logs, metadata, and potentially credentials. This happens because the system verifies the app_id against the API key but does not confirm that the job_id belongs to that app_id.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive build information from other applications within the same organization.

• Exposure of build logs that may contain sensitive data such as credentials or environment details.
• Potential leakage of metadata related to build jobs.
• Increased risk of data breaches due to cross-app data exposure.

Overall, this can compromise the confidentiality of your build processes and sensitive information.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized access to sensitive build information, including logs, metadata, and potentially credentials, across different applications within the same organization.

Such unauthorized data exposure can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive and personal data.

By exposing potentially sensitive credentials and environment details to unauthorized users, the vulnerability increases the risk of data breaches and unauthorized data processing, which are critical compliance concerns under these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing the /build/status and /build/logs endpoints for authorization bypass attempts. Specifically, attempts where an API key restricted to a single app is used with a mismatched app_id and job_id combination to access build data from other apps indicate the presence of this flaw.

To detect exploitation attempts, you can perform API requests using authorized app_ids paired with job_ids from different apps and observe if the system returns build status or logs that should be restricted.

Example commands using curl to test the vulnerability might look like this:

• curl -H "Authorization: Bearer <API_KEY_FOR_APP_A>" "https://<capgo-server>/build/status?app_id=AppA&job_id=JobID_from_AppB"
• curl -H "Authorization: Bearer <API_KEY_FOR_APP_A>" "https://<capgo-server>/build/logs?app_id=AppA&job_id=JobID_from_AppB"

If these commands return build status or logs for JobID_from_AppB despite the API key being restricted to AppA, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Capgo to version 12.128.2 or later, where the vulnerability has been fixed by binding job_id to app_id in the database before granting access.

Until the upgrade can be applied, restrict access to the /build/status and /build/logs endpoints to trusted users only and monitor API usage for suspicious mismatched app_id and job_id combinations.

Additionally, review and tighten API key permissions and consider implementing additional authorization checks to ensure job_id belongs to the authorized app_id.

Useful 0 Not Useful 0