CVE-2026-56232 | Capgo before 12.128.2 fails to enforce limited_to_orgs and l… | CVSS 8.8 HIGH

Description

Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.

Metadata

CVE ID: CVE-2026-56232
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-19 21:50 UTC
Published: 2026-06-24 11:53 UTC
Last updated: 2026-06-24 12:14 UTC
Primary CWE: CWE-863
Incorrect Authorization
Vendor / Product: Capgo / Capgo
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Capgo	Capgo	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-863	cna	Incorrect Authorization

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.8	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)

GitHub Security Advisory (GHSA-2h89-vcvx-5pvh) https://github.com/Cap-go/capgo/security/advisories/GHSA-2h89-vcvx-5pvh
VulnCheck Advisory: Capgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header https://www.vulncheck.com/advisories/capgo-subkey-scope-bypass-in-middlewarekey-via-x-limited-key-id-header