Home

Description

Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.

PUBLISHED Reserved 2026-06-19 | Published 2026-06-24 | Updated 2026-06-24 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Incorrect Authorization

Product status

Default status
unaffected

Any version before 12.128.2
affected

12.128.2 (semver)
unaffected

Credits

Judel777 reporter

References

github.com/.../capgo/security/advisories/GHSA-2h89-vcvx-5pvh exploit

github.com/.../capgo/security/advisories/GHSA-2h89-vcvx-5pvh (GitHub Security Advisory (GHSA-2h89-vcvx-5pvh)) vendor-advisory

www.vulncheck.com/...ddlewarekey-via-x-limited-key-id-header (VulnCheck Advisory: Capgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header) third-party-advisory

cve.org (CVE-2026-56232)

nvd.nist.gov (CVE-2026-56232)

Download JSON