HIGHCVE-2026-56232Published 2026-06-24Modified 2026-06-24CNA VulnCheck

CVE-2026-56232: Capgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header

Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 12.128.2
Affected Products: 1

Fix available

12.128.2

Affected packages

Capgo / Capgo
< 12.128.2 (from 0)
Fixed in 12.128.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-2h89-vcvx-5pvh)
VulnCheck Advisory: Capgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header

Metrics

Get notified

Fix available