Broken Object Level Authorization in Capgo by Capgo
CVE-2026-56231
What is CVE-2026-56231?
The Capgo platform prior to version 12.128.2 has a significant security flaw involving broken object level authorization (BOLA). This vulnerability exists in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints, which inadequately verify user permissions. Specifically, the request is authorized solely based on the user-controlled app_id provided in the request body. As a result, an authenticated user with the appropriate permissions can inadvertently initiate or terminate builder jobs belonging to other tenants by manipulating the jobId. This can lead to serious security risks, including unauthorized operations across different tenant environments, potentially causing denial of service and financial implications due to resource mismanagement.
Affected Version(s)
Capgo 0 < 12.128.2
Capgo 12.128.2
