CVE-2026-56319
MEDIUMCapgo - App Existence Oracle via GET /statistics/app/:app_id
Title source: cnaDescription
Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-73p9-mprg-7r75
https://github.com/Cap-go/capgo/security/advisories/GHSA-73p9-mprg-7r75
Third Party Advisory third-party-advisory
VulnCheck Advisory: Capgo - App Existence Oracle via GET /statistics/app/:app_id
https://www.vulncheck.com/advisories/capgo-app-existence-oracle-via-get-statistics-app-app-id
Scores
CVSS v3
4.3
EPSS
0.0019
EPSS Percentile
8.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-203
Status
published
Products (2)
Capgo/Capgo
< 12.128.2
Capgo/Capgo
12.128.2
Published
Jun 20, 2026
Tracked Since
Jun 20, 2026