CVE-2026-56252
Received Received - Intake

Capgo Scope Isolation Bypass via API Key Abuse

Vulnerability report for CVE-2026-56252, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks outside their declared app boundary, bypassing the limited_to_apps authorization check.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
cap-go capgo to 12.128.2 (exc)
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-56252 is a scope isolation vulnerability in Capgo versions before 12.128.2 affecting the POST /webhooks/test endpoint.

The flaw allows app-scoped API keys, which should be limited to specific apps, to invoke organization-scoped webhook operations outside their intended app boundaries.

This happens because the system improperly enforces authorization checks: it validates organization admin rights and limited_to_orgs but fails to enforce the limited_to_apps restriction for API keys.

As a result, an attacker with app-scoped credentials can trigger signed outbound webhook deliveries for any webhook in the organization, bypassing intended security restrictions.

Impact Analysis

This vulnerability can lead to unauthorized triggering of outbound webhook traffic beyond the scope of the app-scoped API key.

Attackers can interact with downstream integrations outside their app scope, potentially causing unintended actions or data exposure.

Additionally, attackers may gain access to delivery metadata related to webhooks they should not have permission to access.

Detection Guidance

This vulnerability involves app-scoped API keys invoking org-scoped webhook test deliveries via the POST /webhooks/test endpoint, bypassing intended authorization checks.

Detection can focus on monitoring API calls to the POST /webhooks/test endpoint using app-scoped API keys that should not have org-scoped permissions.

Suggested detection commands include inspecting logs or network traffic for POST requests to /webhooks/test with app-scoped API keys, and verifying if these keys are triggering webhook deliveries outside their app scope.

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to filter HTTP POST requests to /webhooks/test.
  • Query application logs for POST /webhooks/test requests and check the API key scopes associated with those requests.
  • Example command to search logs: grep 'POST /webhooks/test' /var/log/capgo/access.log | grep 'app-scoped-key'
Mitigation Strategies

The primary mitigation is to upgrade Capgo to version 12.128.2 or later, where the scope isolation vulnerability in the POST /webhooks/test endpoint has been fixed.

Until the upgrade is applied, restrict or disable app-scoped API keys from invoking the POST /webhooks/test endpoint to prevent unauthorized org-scoped webhook deliveries.

Review and audit API key permissions to ensure app-scoped keys do not have unintended access to organization-scoped operations.

  • Upgrade Capgo to version 12.128.2 or newer.
  • Restrict usage of app-scoped API keys on the /webhooks/test endpoint.
  • Audit API key scopes and permissions regularly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56252. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart