CVE-2026-56319

MEDIUM

Capgo - App Existence Oracle via GET /statistics/app/:app_id

Title source: cna
STIX 2.1

Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-73p9-mprg-7r75
https://github.com/Cap-go/capgo/security/advisories/GHSA-73p9-mprg-7r75
Third Party Advisory third-party-advisory
VulnCheck Advisory: Capgo - App Existence Oracle via GET /statistics/app/:app_id
https://www.vulncheck.com/advisories/capgo-app-existence-oracle-via-get-statistics-app-app-id

Scores

CVSS v3 4.3
EPSS 0.0019
EPSS Percentile 8.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-203
Status published
Products (2)
Capgo/Capgo < 12.128.2
Capgo/Capgo 12.128.2
Published Jun 20, 2026
Tracked Since Jun 20, 2026