Loading market data...
← Back to CVE feed

CVE-2026-56232

HIGH CVSS 8.8 View on NVD ↗

Description

Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: Jun 24, 2026 13:16 UTC Modified: Jun 24, 2026 13:16 UTC