Home

Description

Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.

PUBLISHED Reserved 2026-06-20 | Published 2026-06-21 | Updated 2026-06-24 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

Observable Discrepancy

Product status

Default status
unaffected

Any version before 12.128.2
affected

12.128.2 (semver)
unaffected

Credits

Judel777 reporter

References

github.com/.../capgo/security/advisories/GHSA-9c2x-7h5x-37gm exploit

github.com/.../capgo/security/advisories/GHSA-9c2x-7h5x-37gm (GHSA Advisory GHSA-9c2x-7h5x-37gm) vendor-advisory

www.vulncheck.com/...uthenticated-options-build-upload-jobid (VulnCheck Advisory: Cap-go - Job Existence Oracle via Unauthenticated OPTIONS /build/upload/:jobId/*) third-party-advisory

cve.org (CVE-2026-56316)

nvd.nist.gov (CVE-2026-56316)

Download JSON