Authorization Bypass Vulnerability in Capgo Product by Capgo
CVE-2026-56229

7.1HIGH

Key Information:

Vendor: Capgo
Status: Capgo
Vendor: CVE Published:; 21 June 2026

What is CVE-2026-56229?

The Capgo platform, prior to version 12.128.2, is susceptible to an authorization bypass vulnerability that affects the /build/status and /build/logs endpoints. Attackers can exploit this flaw by providing a mismatched app_id and job_id combination, which allows access to build jobs belonging to different applications. This vulnerability enables limited API keys, which are typically restricted to a single application, to obtain sensitive build information—such as logs, metadata, and potentially credentials—from unauthorized applications. By using an authorized app_id alongside a job_id from a different application, attackers can compromise critical data information, posing serious risks to application security.

Affected Version(s)

Capgo 0 < 12.128.2

Capgo 12.128.2

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/capgo-cross-app-buil...

third-party-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 19, 2026

Credit

Judel777

CVE-2026-56229 Data

JSON