HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-56232 — Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps const...

·Source: NIST NVD

Updated:

Executive Summary

Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.

Analysis

Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey. CVSS Score: 8.8. Published: 2026-06-24T13:16:33.327.

Indicators of Compromise (1)

CVE (1)
CVE-2026-56232
Source Attribution

Originally published by NIST NVD on Jun 24, 2026. Verified by: NIST.

Related Threats