CVE-2026-56232

EUVD-2026-38739
Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Common Weakness Enumeration
References
https://github.com/Cap-go/capgo/security/advisories/GHSA-2h89-vcvx-5pvh
https://www.vulncheck.com/advisories/capgo-subkey-scope-bypass-in-middlewarekey-via-x-limited-key-id-header
https://github.com/Cap-go/capgo/security/advisories/GHSA-2h89-vcvx-5pvh