CVE-2026-56231
Received Received - Intake
Capgo BOLA Vulnerability in Build Endpoints

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: VulnCheck

Description
Capgo before 12.128.2 contains a broken object level authorization (BOLA) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. The handlers authorize the request based only on the attacker-controlled app_id supplied in the request body and never verify that the jobId in the URL belongs to that app_id (or the same tenant/org) before issuing privileged builder commands with the server-held builder API key. An authenticated user with the app.build_native permission for any app they control can start or cancel arbitrary builder jobs belonging to other tenants by supplying a victim jobId, resulting in cross-tenant build sabotage (denial of service), unauthorized compute actions, and potential billing impact.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-56231
EUVD
EUVD-2026-38738
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56231 is a broken object level authorization (BOLA) vulnerability in Capgo versions before 12.128.2. It affects the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. The vulnerability arises because the server only checks the app_id supplied in the request body, which is attacker-controlled, but does not verify that the jobId in the URL belongs to the same app_id or tenant. This means an authenticated user with the app.build_native permission for any app they control can start or cancel build jobs belonging to other tenants by supplying a victim's jobId.

This flaw allows cross-tenant build sabotage, unauthorized compute actions, and potential billing impact because the attacker can manipulate other tenants' build jobs without proper authorization.

Compliance Impact

The vulnerability allows authenticated users to manipulate build jobs belonging to other tenants, leading to unauthorized actions such as denial-of-service, unauthorized compute usage, and potential billing impact.

Such unauthorized cross-tenant access and actions could result in violations of data protection and privacy regulations like GDPR or HIPAA, as it compromises tenant isolation and could lead to unauthorized access or disruption of services.

However, the provided information does not explicitly mention compliance impacts or specific regulatory consequences.

Impact Analysis

This vulnerability can have several impacts including:

  • Cross-tenant build sabotage, resulting in denial of service by starting or canceling other tenants' build jobs.
  • Unauthorized compute actions, where attackers can misuse compute resources belonging to other tenants.
  • Potential billing impact due to unauthorized usage of resources.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Capgo to version 12.128.2 or later where the broken object level authorization issue is fixed.

Additionally, ensure that the server validates that the jobId in the URL belongs to the same app_id or tenant before executing any privileged builder commands.

Restrict the app.build_native permission to trusted users only, as this permission allows starting or canceling build jobs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56231. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart