Compliance Impact

This vulnerability exposes sensitive user identity information and personally identifiable information (PII) such as management emails through unauthenticated access to API key validity and user mapping functions.

Such exposure of PII and unauthorized access to user-related data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal data access and disclosure.

The ability for attackers to confirm API key validity and retrieve user and organizational PII without authentication increases the risk of data breaches, targeted phishing attacks, and unauthorized data processing, all of which are critical compliance concerns under these standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-56242 is a high-severity vulnerability in Capgo versions before 12.128.2 involving an unauthenticated RPC function named get_identity_apikey_only.

This function returns the owning user ID for supplied API keys without requiring authentication, effectively creating an API key validity oracle and allowing user identity disclosure.

Attackers can supply valid or invalid API keys to confirm their validity and map keys to user identifiers.

The disclosed user IDs can then be used with other exposed RPCs, such as get_orgs_v6, to retrieve sensitive information like organization membership and management email personally identifiable information (PII).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to confirm the validity of API keys without authentication, enabling them to map API keys to specific user identities.

By chaining this information with other exposed RPCs, attackers can access sensitive data such as organization membership details and management email addresses, which are considered PII.

The exposure of this information can facilitate targeted attacks like phishing and organizational mapping.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to call the unauthenticated RPC function `get_identity_apikey_only` with various API keys to check if the system returns the owning user_id for valid keys and null for invalid keys.

A practical detection method involves sending requests with the `capgkey` header set to different API keys and observing the responses. If the function returns user UUIDs for valid keys without authentication, the vulnerability is present.

Example command (assuming an HTTP-based RPC call):

• curl -H "capgkey: <API_KEY>" https://<capgo-server>/rpc/get_identity_apikey_only

If the response contains a user UUID for valid keys and null for invalid keys, this confirms the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include revoking anonymous (`anon`) access to the vulnerable RPC function `get_identity_apikey_only` to prevent unauthenticated calls.

Additionally, tighten default privileges by restricting broad access to functions and tables that expose sensitive information.

Ensure proper authorization checks are implemented on related RPC functions such as `get_orgs_v6` to prevent unauthorized data disclosure.

Updating Capgo to version 12.128.2 or later, where this vulnerability is fixed, is strongly recommended.

Useful 0 Not Useful 0