CVE-2026-56306
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers resulting in NaN or falsy values.
Risk Assessment
Remote attackers can manipulate the x-limited-key-id header to disable limited key scoping and execute requests using the main API key context instead of restricted subkey permissions, posing a serious security risk to the application.
Recommendation
It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability and to implement additional security measures to monitor and restrict access to API keys.
Original NVD description (English source)
Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header to disable limited key scoping and execute requests using the main API key context instead of restricted subkey permissions.

