CVE Catalog

CVE-2026-56306

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers resulting in NaN or falsy values.

Risk Assessment

Remote attackers can manipulate the x-limited-key-id header to disable limited key scoping and execute requests using the main API key context instead of restricted subkey permissions, posing a serious security risk to the application.

Recommendation

It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability and to implement additional security measures to monitor and restrict access to API keys.

Original NVD description (English source)

Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header to disable limited key scoping and execute requests using the main API key context instead of restricted subkey permissions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS