CVE-2026-56299
Received Received - Intake
Authentication Bypass in Capgo via OPTIONS Request

Publication date: 2026-06-21

Last updated on: 2026-06-21

Assigner: VulnCheck

Description
Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send OPTIONS requests to bypass authentication middleware and invoke tusProxy logic with invalid credentials, enabling trivial request flooding and denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-21
Last Modified
2026-06-21
Generated
2026-06-21
AI Q&A
2026-06-21
EPSS Evaluated
N/A
NVD
CVE-2026-56299
EUVD
EUVD-2026-38171
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-56299 is an authentication bypass vulnerability in Capgo versions before 12.128.2 affecting the /build/upload/:jobId/* endpoint.

Unauthenticated attackers can send HTTP OPTIONS requests to this endpoint, which bypasses the authentication middleware and directly invokes the tusProxy logic with invalid or empty credentials.

This causes the server to consistently return 500 Internal Server Errors, regardless of whether the jobId exists, due to missing valid authentication context.

The vulnerability allows attackers to trigger these errors repeatedly, leading to request flooding and denial of service.

Impact Analysis

This vulnerability can be exploited by unauthenticated attackers to cause a denial of service (DoS) on the Capgo API by flooding the /build/upload/:jobId/* endpoint with OPTIONS requests.

Repeated triggering of 500 Internal Server Errors can overwhelm server resources, amplify logs, and disrupt normal application functionality.

Because the authentication middleware is bypassed, attackers do not need valid credentials, making the attack trivial to perform.

Detection Guidance

This vulnerability can be detected by sending unauthenticated HTTP OPTIONS requests to the /build/upload/:jobId and /build/upload/:jobId/* endpoints and observing if the server responds with consistent 500 Internal Server Errors.

A proof of concept command to test this is using curl to send an OPTIONS request without authentication headers.

  • curl -X OPTIONS https://<target-host>/build/upload/<jobId>
  • curl -X OPTIONS https://<target-host>/build/upload/<jobId>/*

If these commands consistently return HTTP 500 errors, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation involves updating the Capgo software to version 12.128.2 or later, where this authentication bypass vulnerability has been patched.

Until the update can be applied, consider implementing network-level controls such as blocking or rate-limiting unauthenticated OPTIONS requests to the /build/upload/:jobId/* endpoints to reduce the risk of denial-of-service attacks.

Monitoring logs for repeated 500 Internal Server Errors triggered by OPTIONS requests can also help in early detection and response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56299. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart