Impact Analysis

This vulnerability can impact you by allowing attackers with app-limited API keys to enumerate real app IDs outside their authorized scope.

By distinguishing existing sibling app IDs from non-existent ones through differential error responses, attackers can break tenant isolation and potentially gain unauthorized knowledge about other apps in the system.

This information disclosure could lead to further targeted attacks or unauthorized access attempts against other tenants or applications.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by using an app-limited API key to send requests to the GET /statistics/app/:app_id endpoint and observing the HTTP status codes returned.

• Send a request with an app-limited API key to an allowed app ID and expect a 200 status code.
• Send a request with the same API key to a sibling app ID outside the allowed scope and observe if a 500 error with PGRST116 is returned.
• Send a request with the same API key to a non-existent or fake app ID and observe if a 401 error is returned.

The presence of different error responses (500 vs 401) for sibling versus non-existent app IDs indicates the vulnerability.

Example curl commands to test this could be:

• curl -H "Authorization: Bearer <app-limited-API-key>" https://<capgo-server>/statistics/app/<allowed_app_id>
• curl -H "Authorization: Bearer <app-limited-API-key>" https://<capgo-server>/statistics/app/<sibling_app_id_outside_scope>
• curl -H "Authorization: Bearer <app-limited-API-key>" https://<capgo-server>/statistics/app/<nonexistent_app_id>

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Capgo to version 12.128.2 or later, where this vulnerability has been patched.

Until the upgrade can be applied, restrict the use of app-limited API keys to trusted users and monitor API usage for suspicious enumeration attempts.

Additionally, review and tighten RBAC permission checks to prevent differential error responses that reveal app existence.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to enumerate real app IDs outside their allowed scope by exploiting differential error responses, breaking tenant and app isolation.

Such information disclosure and tenant isolation breaches could potentially lead to unauthorized access to sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict controls on data access and tenant separation.

However, the provided context and resources do not explicitly discuss the direct impact on compliance with these standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-56319 is an information disclosure vulnerability in Capgo versions before 12.128.2. It occurs in the GET /statistics/app/:app_id endpoint, where app-limited API keys can distinguish between existing sibling app IDs and non-existent ones by analyzing different error responses.

Specifically, when an app-limited read key is used, the endpoint returns a 200 status for allowed apps, a 500 error with PGRST116 for real sibling apps outside the key's scope, and a 401 error for fake or non-existent app IDs. This difference in responses allows attackers to enumerate real app IDs beyond their permitted scope, breaking tenant and app isolation.

The root cause is improper permission checks in the RBAC system, where the API key principal is only checked if the user principal fails, leading to inconsistent error responses.

Useful 0 Not Useful 0