CVE-2026-56232
Received Received - Intake
Capgo Subkey Bypass via x-limited-key-id Header

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: VulnCheck

Description
Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-56232
EUVD
EUVD-2026-38739
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to bypass subkey scope restrictions, causing downstream route handlers to use an unrestricted parent key instead of a scoped subkey. This results in unauthorized access to broader resources than intended.

Such unauthorized access can lead to violations of data protection principles required by common standards and regulations like GDPR and HIPAA, which mandate strict access controls and data minimization to protect sensitive information.

Therefore, exploitation of this vulnerability could undermine compliance with these regulations by enabling unauthorized data access and potentially exposing sensitive personal or health information.

Executive Summary

The vulnerability in Capgo versions before 12.128.2 occurs in the middlewareKey function, which fails to enforce the limited_to_orgs and limited_to_apps constraints on subkeys provided via the x-limited-key-id header.

This flaw allows attackers to bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the intended scoped subkey.

Essentially, the system ignores the intended limited access of subkeys and defaults to the broader access of the parent key, enabling unauthorized access.

Impact Analysis

This vulnerability can lead to unauthorized access to resources because attackers can bypass the intended restrictions on subkeys.

By exploiting this flaw, an attacker can cause downstream route handlers to operate with the unrestricted parent key's permissions, potentially accessing or modifying data beyond their authorized scope.

This undermines the security model for distributed API keys and can result in data breaches, unauthorized operations, and compromise of sensitive information.

Mitigation Strategies

To mitigate this vulnerability, upgrade Capgo to version 12.128.2 or later, where the issue with enforcing limited_to_orgs and limited_to_apps constraints on subkeys via the x-limited-key-id header has been fixed.

Ensure that the middlewareKey function properly validates subkey scopes and includes cross-tenant validation checks such as validateSubkeyUser to prevent attackers from referencing unauthorized subkeys.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56232. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart