CVE-2026-56280

Cap-go contains a privilege inversion in the /build/logs/:jobId SSE handling prior to version 12.128.2. An abort listener on the SSE stream unconditionally calls cancelBuildOnDisconnect() using the server-side BUILDER_API_KEY, bypassing the app.build_native permission check required by POST /buil...