CVE-2026-56242
HIGHCapgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC
Title source: cnaDescription
Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get_orgs_v6 to retrieve organization membership and management email PII.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-fhgj-7376-qxwx
https://github.com/Cap-go/capgo/security/advisories/GHSA-fhgj-7376-qxwx
Third Party Advisory third-party-advisory
VulnCheck Advisory: Capgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC
https://www.vulncheck.com/advisories/capgo-unauthenticated-api-key-validity-oracle-and-user-identity-disclosure-via-get-identity-apikey-only-rpc
Scores
CVSS v3
7.5
EPSS
0.0026
EPSS Percentile
17.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
Capgo/Capgo
< 12.128.2
Capgo/Capgo
12.128.2
Published
Jun 21, 2026
Tracked Since
Jun 21, 2026