CVE-2026-56229
Capgo before 12.128.2 has an authorization bypass in /build/status and /build/logs that lets an attacker access build jobs from other apps by mixing app_id and job_id. Limited API keys scoped to one app can read status/logs across apps by using an authorized app_id with a job_id from another app,...