Information Disclosure in Capgo API Endpoint
CVE-2026-56319

5.3MEDIUM

Key Information:

Vendor: Capgo
Status: Capgo
Vendor: CVE Published:; 20 June 2026

What is CVE-2026-56319?

Capgo versions prior to 12.128.2 are susceptible to an information disclosure vulnerability via the GET /statistics/app/:app_id endpoint. This flaw enables attackers wielding app-limited API keys to distinguish existing sibling app IDs by analyzing the differential error responses received. Specifically, attackers can identify real app IDs that fall outside their permissible scope based on the types of errors returned: a 500 PGRST116 error indicates an inaccessible app, while a 401 error signifies a nonexistent app. This behavior undermines tenant isolation and could lead to unauthorized access to application data.

Affected Version(s)

Capgo 0 < 12.128.2

Capgo 12.128.2

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/capgo-app-existence-...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

Judel777

CVE-2026-56319 Data

JSON