CVE-2026-56242

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get_orgs_v6 to retrieve organization membership and management email PII.

Vulnerability Details

Published Date

June 21, 2026

Last Modified

June 21, 2026

CWE ID

CWE-200

Source

NVD

Vendor

Capgo

Product

Capgo

External References

https://github.com/Cap-go/capgo/security/advisories/GHSA-fhgj-7376-qxwx
https://www.vulncheck.com/advisories/capgo-unauthenticated-api-key-validity-oracle-and-user-identity-disclosure-via-get-identity-apikey-only-rpc

CVE-2026-56242

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment