CVE-2026-56319
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps.
Risk Assessment
This vulnerability may lead to a breach of tenant isolation, allowing attackers to gain access to information about applications that are outside their scope. This could result in unauthorized access to data and resources.
Recommendation
It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability. Additionally, it is advisable to review and strengthen API access control mechanisms.
Original NVD description (English source)
Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation.

