CVE-2026-56240
Received Received - Intake

Billing Authorization Bypass in Capgo

Vulnerability report for CVE-2026-56240, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: VulnCheck

Description

Capgo before 12.128.12 contains a billing authorization bypass vulnerability in the plan_valid calculation that allows organizations with exhausted or expired usage credit grants to bypass billing gates. Attackers can exploit the divergence between the plugin hot-path plan_valid expression and the authoritative billing gate to gain continued access to /updates, /stats, /channel_self, and attachment upload endpoints after credit depletion.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.12 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56240 is a billing authorization bypass vulnerability in Capgo versions before 12.128.12. The issue arises because the plugin's plan validation logic incorrectly determines if an organization has usage credits. It relies on a flag that only checks for the existence of any usage credit grants, without verifying if those credits are actually available or expired.

This causes a mismatch between the plugin's plan_valid expression and the authoritative billing gate, allowing organizations with exhausted or expired credits to bypass billing restrictions.

Attackers can exploit this divergence to gain continued access to certain endpoints such as /updates, /stats, /channel_self, and attachment upload endpoints even after their credits have been depleted.

Impact Analysis

This vulnerability allows attackers or organizations to bypass billing gates and continue accessing services without valid usage credits.

  • Continued access to endpoints like /updates, /stats, /channel_self, and attachment uploads after credit depletion.
  • Potential unauthorized use of services without proper billing, leading to financial loss or abuse of resources.
  • Undermines the integrity of billing and authorization mechanisms within the affected Capgo system.
Detection Guidance

Detection of this vulnerability involves identifying whether organizations with exhausted or expired usage credits are still able to access restricted endpoints such as /updates, /stats, /channel_self, and attachment upload endpoints.

One approach is to monitor access logs for these endpoints and correlate access attempts with the usage credit status of the organizations. If access is granted despite zero or expired credits, the vulnerability may be present.

Specific commands are not provided in the available resources, but general steps include querying the database to check the usage credit balances and comparing them with access logs to detect unauthorized access.

Mitigation Strategies

Immediate mitigation involves correcting the authorization logic to ensure that only organizations with positive, unexpired usage credits can access the affected endpoints.

Specifically, replace the current check using the orgs.has_usage_credits flag with a more accurate validation such as orgs.has_positive_credit_balance, which verifies the sum of unexpired and unconsumed credits.

Additionally, apply any available patches or upgrade to Capgo version 12.128.12 or later, where this issue has been fixed.

Regression tests should be added to ensure the fix properly handles edge cases like fully consumed or expired grants.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56240. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart