CVE-2026-56229
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched app_id and job_id combination.
Risk Assessment
This vulnerability allows access to sensitive build information, including logs, metadata, and potentially credentials, which could lead to serious security breaches within the organization.
Recommendation
It is recommended to update Capgo to version 12.128.2 or later and to review and strengthen the API key management policy to restrict access to sensitive data.
Original NVD description (English source)
Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched app_id and job_id combination. Limited API keys restricted to a single app can retrieve build status and logs from other apps by providing an authorized app_id while using a job_id from an unauthorized app, exposing sensitive build information including logs, metadata, and potentially credentials.

