CVE-2026-56316 | Cap-go before 12.128.2 contains an information disclosure vu… | CVSS 5.3 MEDIUM

Description

Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.

Metadata

CVE ID: CVE-2026-56316
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 12:59 UTC
Published: 2026-06-21 13:26 UTC
Last updated: 2026-06-21 13:26 UTC
Primary CWE: CWE-203
Observable Discrepancy
Vendor / Product: Cap-go / capgo
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Cap-go	capgo	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-203	cna	Observable Discrepancy

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (2)

GHSA Advisory GHSA-9c2x-7h5x-37gm https://github.com/Cap-go/capgo/security/advisories/GHSA-9c2x-7h5x-37gm
VulnCheck Advisory: Cap-go - Job Existence Oracle via Unauthenticated OPTIONS /build/upload/:jobId/* https://www.vulncheck.com/advisories/cap-go-job-existence-oracle-via-unauthenticated-options-build-upload-jobid