CVE-2026-56296
Received Received - Intake

Information Disclosure in Cap-go via Error Message Leak

Vulnerability report for CVE-2026-56296, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: VulnCheck

Description

Cap-go before 12.128.2 contains an information disclosure vulnerability in the public.transfer_app RPC function that returns distinct error messages for existing versus non-existing app IDs. Unauthenticated attackers can enumerate valid app IDs by observing error message differences when calling transfer_app with only the publishable API key.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cap-go cap-go to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-203 The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56296 is an information disclosure vulnerability in the Cap-go software versions before 12.128.2. It exists in the public.transfer_app RPC function, which is accessible without authentication due to excessive permissions granted to the 'anon' role.

The vulnerability allows unauthenticated attackers, using only the publishable API key, to enumerate valid app IDs by observing distinct error messages returned when calling transfer_app with different app IDs. Specifically, the function returns different error messages for existing versus non-existing app IDs, which leaks information about which app IDs are valid.

The root cause is improper permission granting and non-uniform error messages that reveal sensitive information.

Impact Analysis

This vulnerability allows unauthenticated attackers to enumerate valid app IDs without any credentials, which can aid in targeted attacks against specific apps or organizations.

By knowing valid app IDs, attackers can gather metadata about existing apps, potentially facilitating further exploitation or reconnaissance activities.

Although the vulnerability does not directly allow modification or deletion of data, the information disclosure can be leveraged as a stepping stone for more advanced attacks.

Detection Guidance

This vulnerability can be detected by attempting to call the public.transfer_app RPC function using only the publishable API key and observing the error messages returned.

If the error messages differ depending on whether the app ID exists or not, this indicates the presence of the vulnerability, as it allows enumeration of valid app IDs.

A suggested approach is to script calls to transfer_app with various app IDs and analyze the error responses for discrepancies.

Mitigation Strategies

The recommended immediate mitigation is to revoke execution permissions for the 'anon' role on the public.transfer_app RPC function.

Additionally, ensure that the error messages returned by this function are uniform and do not reveal whether an app ID exists or not, preventing information leakage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56296. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart