CVE-2026-56299 | Capgo before 12.128.2 contains an authentication bypass vuln… | CVSS 5.3 MEDIUM

Description

Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send OPTIONS requests to bypass authentication middleware and invoke tusProxy logic with invalid credentials, enabling trivial request flooding and denial of service.

Metadata

CVE ID: CVE-2026-56299
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 12:49 UTC
Published: 2026-06-21 13:26 UTC
Last updated: 2026-06-21 13:26 UTC
Primary CWE: CWE-306
Missing Authentication for Critical Function
Vendor / Product: Capgo / Capgo
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products (1)

Vendor	Product	Platform	Versions
Capgo	Capgo	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	Missing Authentication for Critical Function

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (2)

GHSA Advisory GHSA-6c7m-4223-446j https://github.com/Cap-go/capgo/security/advisories/GHSA-6c7m-4223-446j
VulnCheck Advisory: Capgo - Denial of Service via Unauthenticated OPTIONS Request to /build/upload Endpoint https://www.vulncheck.com/advisories/capgo-denial-of-service-via-unauthenticated-options-request-to-build-upload-endpoint