CVE-2026-56242 | THREATINT

Description

Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get_orgs_v6 to retrieve organization membership and management email PII.

PUBLISHED Reserved 2026-06-19 | Published 2026-06-21 | Updated 2026-06-22 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status

unaffected

Any version before 12.128.2

affected

12.128.2 (semver)

unaffected

Credits

Judel777 reporter

References

github.com/.../capgo/security/advisories/GHSA-fhgj-7376-qxwx exploit

github.com/.../capgo/security/advisories/GHSA-fhgj-7376-qxwx (GHSA Advisory GHSA-fhgj-7376-qxwx) vendor-advisory

www.vulncheck.com/...losure-via-get-identity-apikey-only-rpc (VulnCheck Advisory: Capgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC) third-party-advisory

cve.org (CVE-2026-56242)

nvd.nist.gov (CVE-2026-56242)

Download JSON