CVE Catalog

CVE-2026-56242

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile - higher than 17% of all known CVEs

Summary

Capgo before 12.128.2 contains an unauthenticated RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys. This creates an API key validity oracle and user identity disclosure primitive.

Risk Assessment

Attackers can exploit this vulnerability to map API keys to user identifiers, leading to the disclosure of personal information such as organization membership and management email addresses.

Recommendation

It is recommended to update Capgo to version 12.128.2 or later to eliminate this vulnerability. Additionally, access to RPC functions should be restricted to minimize the risk of unauthorized access.

Original NVD description (English source)

Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get_orgs_v6 to retrieve organization membership and management email PII.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS