CVE-2026-56316
Received Received - Intake
Information Disclosure in Cap-go via Job ID Enumeration

Publication date: 2026-06-21

Last updated on: 2026-06-21

Assigner: VulnCheck

Description
Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-21
Last Modified
2026-06-21
Generated
2026-06-21
AI Q&A
2026-06-21
EPSS Evaluated
N/A
NVD
CVE-2026-56316
EUVD
EUVD-2026-38172
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cap-go capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-56316 is an information disclosure vulnerability in Cap-go versions before 12.128.2. It exists in the OPTIONS /build/upload/:jobId/* endpoint, which is accessible without authentication.

This flaw allows unauthenticated attackers to determine whether specific builder job IDs exist by observing differences in the server's responses. For example, the endpoint returns different status codes and headers depending on whether the job ID is valid or not, effectively acting as an oracle.

Attackers can exploit this to enumerate valid job IDs without needing to authenticate, potentially generating sustained unauthenticated traffic.

Impact Analysis

This vulnerability can impact you by allowing attackers to enumerate valid builder job IDs without authentication, which may lead to information disclosure about your system's internal job identifiers.

Additionally, because the endpoint processes these unauthenticated requests with non-trivial latency, attackers could exploit it to generate sustained traffic, potentially causing resource consumption issues or denial-of-service conditions.

Detection Guidance

This vulnerability can be detected by sending unauthenticated OPTIONS requests to the /build/upload/:jobId/* endpoint and observing the differences in server responses.

Specifically, you can probe different job IDs and check the HTTP status codes and response headers:

  • For non-existent job IDs, the server returns a 204 status code with TUS capability headers.
  • For valid job IDs, the server returns a 404 JSON error.

A sample command using curl to test a job ID could be:

  • curl -X OPTIONS https://your-capgo-instance/build/upload/<jobId>/ -i

By iterating over different job IDs and analyzing the response codes and headers, you can detect if the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include:

  • Require authentication for the OPTIONS /build/upload/:jobId/* endpoint to prevent unauthenticated access.
  • Implement static responses for OPTIONS requests to avoid observable discrepancies that reveal valid job IDs.
  • Add rate limiting on this endpoint to mitigate potential denial-of-service or resource consumption attacks caused by sustained unauthenticated traffic.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56316. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart