CVE-2026-56300
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-56300, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine permission levels, significantly increasing the actionability of compromised credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Capgo versions before 12.128.2 and involves unauthenticated security definer RPC functions named get_user_id and get_org_perm_for_apikey.

These functions expose API key validity oracles and user UUID disclosure, allowing unauthenticated attackers to use the public API key to validate leaked API keys, enumerate users and applications, and determine permission levels.

This significantly increases the usefulness of compromised credentials for attackers.

Impact Analysis

The vulnerability allows unauthenticated attackers to validate leaked API keys, enumerate users and applications, and determine permission levels without any authentication.

This means attackers can confirm which API keys are valid and understand the scope of access those keys provide, increasing the risk of unauthorized access and misuse of your system.

As a result, compromised credentials become more actionable, potentially leading to data exposure or unauthorized operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56300. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart