Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine permission levels, significantly increasing the actionability of compromised credentials. | |
| Title | Capgo - Unauthenticated API Key Validity and Permission Oracle via RPC Functions | |
| Weaknesses | CWE-200 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-30T22:08:29.294Z
Reserved: 2026-06-20T12:49:17.830Z
Link: CVE-2026-56300
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-30T23:30:04Z