Home

Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation.

PUBLISHED Reserved 2026-06-20 | Published 2026-06-20 | Updated 2026-06-20 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

Observable Discrepancy

Product status

Default status
unaffected

Any version before 12.128.2
affected

12.128.2 (semver)
unaffected

Credits

Judel777 reporter

References

github.com/.../capgo/security/advisories/GHSA-73p9-mprg-7r75 (GHSA Advisory GHSA-73p9-mprg-7r75) vendor-advisory

www.vulncheck.com/...ce-oracle-via-get-statistics-app-app-id (VulnCheck Advisory: Capgo - App Existence Oracle via GET /statistics/app/:app_id) third-party-advisory

cve.org (CVE-2026-56319)

nvd.nist.gov (CVE-2026-56319)

Download JSON