HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56237Published Modified CNA VulnCheck

CVE-2026-56237: Capgo - Unauthenticated API Key Generation via Client-Side Parameter Manipulation

Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails to validate that keys are securely generated and bound to the authenticated user. An attacker can tamper with the API key parameter in the generation request and supply arbitrary values, generating custom API keys without proper authorization, which can lead to unauthorized access to protected endpoints.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
12.128.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Broken authentication in Capgo's API key generation endpoint allows an unauthenticated remote attacker to supply arbitrary values for the API key parameter in a frontend request, bypassing any server-side binding to a legitimate user session. Because the backend does not validate that generated keys are tied to an authenticated user, an attacker can mint custom API keys at will and use them to access protected endpoints. A patched-image rebuild at version 12.128.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-56237 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all images in customer registries and CI pipelines, including custom-built images that bundle Capgo. Coverage applies to every image layer, not only base images pulled from public registries.

Available
Triage

HarborGuard is capable of scoring matched findings at CVSS 9.3 Critical and weighting that score against each environment's compliance policy to determine priority. Routed findings land in the appropriate team inbox inside each customer org based on ownership rules configured for the affected workload.

Available
Patch

A patched-image rebuild pinned to Capgo 12.128.2 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run the regression test suite against the new image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable API key generation endpoint is exposed over the network, so the attacker must be able to reach it via HTTP/HTTPS from any internet-connected location.

  • AuthenticationNot required

    No account or session credential is needed; the broken authentication flaw is precisely that the backend never enforces user binding during key generation.

  • Victim interactionNot required

    The attack is fully server-side; no user action such as clicking a link or opening a file is required to complete it.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker only needs to craft a standard HTTP request with an arbitrary API key value, with no race conditions or special environmental factors required.

Blast Radius

  • Attacker mints arbitrary API keys that authenticate as legitimate principals, gaining access to any protected endpoint gated on API key validation.
  • Attacker reads confidential data accessible to those endpoints, including user records, configuration secrets, and stored session material.
  • Attacker modifies application state through write-capable endpoints, such as altering user data, updating configuration, or injecting malicious content into stored records.

How HarborGuard Handles This

Available on HarborGuard: detection of this Critical (CVSS 9.3) broken-authentication issue is active for all environments running Capgo images below 12.128.2, with matching performed against every ingest cycle including images built internally. A patched rebuild at version 12.128.2 becomes available as soon as an affected image is identified. For customers who opt into auto-remediation, HarborGuard can execute the full remediation flow, rebuild the image at the fixed version, run regression tests, and open a pull request against the affected workload; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated inbox with the CVSS score, affected image digest, and fix version attached so reviewers have everything needed to approve the rebuild without additional research.

See how HarborGuard automates this

Fix available

12.128.2
Affected packages
  • Capgo / Capgo
    < 12.128.2 (from 0)
    Fixed in 12.128.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References