Lucene search
K

7 matches found

NVD
NVD
added 2 days ago7 views

CVE-2026-56252

Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks...

5.4CVSS0.00169EPSS
Exploits0References2
CVE
CVE
added 2 days ago18 views

CVE-2026-56252

Capgo before 12.128.2 is affected by a scope isolation vulnerability in the POST /webhooks/test endpoint. The issue allows app-scoped API keys to invoke organization-scoped webhook operations, enabling attackers with app-scoped credentials to trigger signed outbound webhook deliveries for arbitra...

5.4CVSS6.2AI score0.00169EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago29 views

CVE-2026-56217 Capgo - Encrypted Bundle Policy Bypass via Direct PostgREST Update

Capgo before 12.128.2 contains a policy bypass vulnerability in appversions update enforcement that allows app-scoped API keys to downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly update the appversions table via PostgREST to clear sessionkey...

5.3CVSS0.00215EPSS
Exploits0References2
CVE
CVE
added 6 days ago5 views

CVE-2026-56217

Capgo versions before 12.128.2 contain a policy bypass vulnerability in app_versions update enforcement that lets app-scoped API keys downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly update the app_versions table via PostgREST to clear sessio...

5.3CVSS6AI score0.00215EPSS
Exploits0References2
EUVD
EUVD
added 6 days ago5 views

EUVD-2026-42246

Capgo before 12.128.2 contains a policy bypass vulnerability in appversions update enforcement that allows app-scoped API keys to downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly update the appversions table via PostgREST to clear sessionkey...

5.3CVSS6AI score0.00215EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 12:12 p.m.16 views

CVE-2026-56225

Capgo before 12.128.2 has an authorization bypass in public API key management handlers (get/put/delete/post). Keys created with mode=all but limited_to_apps are not checked against limited_to_apps, only limited_to_orgs, allowing an app-scoped key to enumerate, update, and delete sibling API keys...

8.7CVSS5.9AI score0.00292EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/23 12:12 p.m.37 views

CVE-2026-56225 Capgo - Authorization Bypass in API Key Management via App-Limited Keys

Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers get/put/delete/post. API keys created with mode=all but restricted to a single app via limitedtoapps are only checked for limitedtoorgs and not for limitedtoapps, so an app-scoped key ca...

8.7CVSS0.00292EPSS
Exploits0References2
Rows per page
Query Builder