Executive Summary

CVE-2026-56295 is an authorization bypass vulnerability in Capgo versions before 12.128.2 that affects webhook management endpoints.

The vulnerability allows non-expiring API keys to bypass the organization's policy that requires API keys to expire. This happens because the function responsible for checking webhook permissions (checkWebhookPermission) does not enforce the expiration policy by failing to call the correct policy helper (apikeyHasOrgRightWithPolicy).

As a result, attackers with legacy non-expiring API keys can list, create, and delete webhooks even when the organization explicitly requires API key expiration.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized actions on webhook management endpoints despite organizational policies designed to restrict such actions.

Attackers possessing legacy non-expiring API keys can bypass expiration requirements and perform privileged operations such as listing, creating, and deleting webhooks.

This could lead to unauthorized changes in webhook configurations, potentially disrupting integrations, causing data leakage, or enabling further attacks through manipulated webhook behavior.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether non-expiring API keys are able to perform webhook management operations such as listing, creating, or deleting webhooks despite the organization policy requiring API key expiration.

A practical approach is to attempt webhook management API calls using legacy non-expiring API keys and observe if these calls succeed without a 401 Unauthorized error.

Commands or scripts can be crafted to use these non-expiring API keys to call webhook endpoints and check for successful responses, indicating the bypass.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Capgo to version 12.128.2 or later, where this authorization bypass vulnerability has been fixed.

Until the upgrade is applied, avoid using legacy non-expiring API keys for webhook management operations, or revoke and replace them with keys that comply with the require_apikey_expiration policy.

Additionally, review and enforce organizational policies to ensure API keys have expiration and monitor webhook management activities for unauthorized access.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows non-expiring API keys to bypass organizational policies that require API key expiration, specifically in webhook management endpoints. This improper authorization could lead to unauthorized access and modification of webhook configurations, potentially exposing sensitive data or enabling unauthorized actions.

Such a bypass of security controls may impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. Failure to enforce API key expiration policies could be seen as a weakness in an organization's security posture, potentially leading to non-compliance with these regulations.

Useful 0 Not Useful 0