โ† Back to Dashboard

CVE-2026-56225

HIGH NVD
CVSS Score
8.3
Severity
HIGH
Source
NVD
Published
Jun 23, 2026
Description

Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs and not for limited_to_apps, so an app-scoped key can enumerate, update, and delete sibling API keys belonging to the same account that are outside its declared app scope, enabling tampering with account-level credentials.

View Full Details โ† Back