Broken Object Level Authorization in Capgo by Capgo
CVE-2026-56231

7.2HIGH

Key Information:

Vendor

Capgo

Status
Vendor
CVE Published:
24 June 2026

What is CVE-2026-56231?

The Capgo platform prior to version 12.128.2 has a significant security flaw involving broken object level authorization (BOLA). This vulnerability exists in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints, which inadequately verify user permissions. Specifically, the request is authorized solely based on the user-controlled app_id provided in the request body. As a result, an authenticated user with the appropriate permissions can inadvertently initiate or terminate builder jobs belonging to other tenants by manipulating the jobId. This can lead to serious security risks, including unauthorized operations across different tenant environments, potentially causing denial of service and financial implications due to resource mismanagement.

Affected Version(s)

Capgo 0 < 12.128.2

Capgo 12.128.2

References

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Judel777
.