{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-56232: Capgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-56232","status":"final","version":"1","initial_release_date":"2026-06-24T11:53:09.410Z","current_release_date":"2026-06-24T12:14:32.062Z","revision_history":[{"date":"2026-06-24T11:53:09.410Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-56232 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-56232"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-56232"},{"category":"external","summary":"GitHub Security Advisory (GHSA-2h89-vcvx-5pvh)","url":"https://github.com/Cap-go/capgo/security/advisories/GHSA-2h89-vcvx-5pvh"},{"category":"external","summary":"VulnCheck Advisory: Capgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header","url":"https://www.vulncheck.com/advisories/capgo-subkey-scope-bypass-in-middlewarekey-via-x-limited-key-id-header"}]},"product_tree":{"branches":[{"category":"vendor","name":"Capgo","branches":[{"category":"product_name","name":"Capgo","branches":[{"category":"product_version_range","name":"<12.128.2","product":{"name":"Capgo Capgo <12.128.2","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:capgo:capgo:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"12.128.2","product":{"name":"Capgo Capgo 12.128.2","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:capgo:capgo:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-56232","title":"Capgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header","notes":[{"category":"description","text":"Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"],"fixed":["CSAFPID-2"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":8.7,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 12.128.2.","product_ids":["CSAFPID-1"]}]}]}