CVE-2026-56280
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk17th percentile - higher than 17% of all known CVEs
Summary
Cap-go before version 12.128.2 contains a privilege inversion vulnerability in GET /build/logs/:jobId that allows read-only API key holders to cancel running native builds. The endpoint registers an abort listener on the SSE stream that unconditionally invokes cancelBuildOnDisconnect() using the privileged server-side BUILDER_API_KEY.
Risk Assessment
Attackers with read-only API keys can repeatedly disrupt native build operations and CI/CD workflows, leading to significant disruptions in the organization's operations.
Recommendation
It is recommended to upgrade to version 12.128.2 or later to eliminate this vulnerability and review API key permissions to restrict access to critical operations.
Original NVD description (English source)
Cap-go before 12.128.2 contains a privilege inversion vulnerability in GET /build/logs/:jobId that allows read-only API key holders to cancel running native builds. The endpoint registers an abort listener on the SSE stream that unconditionally invokes cancelBuildOnDisconnect() using the privileged server-side BUILDER_API_KEY when clients disconnect, bypassing the app.build_native permission check required by the explicit POST /build/cancel/:jobId endpoint. Attackers with read-only API keys can repeatedly disrupt native build operations and CI/CD workflows by opening the log stream and dropping the connection.

