Description
Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API keys can directly mutate protected channel configuration fields through PostgREST by exploiting a null authentication check in the immutability trigger. Attackers with write API keys can modify sensitive channel attributes such as public, allow_emulator, and security-related flags outside intended application routes.
Problem types
Product status
Any version before 12.128.2
12.128.2 (semver)
Credits
Judel777
References
github.com/.../capgo/security/advisories/GHSA-ph9c-vwjq-pqhj
github.com/.../capgo/security/advisories/GHSA-ph9c-vwjq-pqhj (GitHub Security Advisory (GHSA-ph9c-vwjq-pqhj))
www.vulncheck.com/...tion-mutation-via-write-scoped-api-keys (VulnCheck Advisory: Capgo - Channel Configuration Mutation via Write-Scoped API Keys)