CVE-2026-56306

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.4 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N                                    

Vulnerability Description

Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header to disable limited key scoping and execute requests using the main API key context instead of restricted subkey permissions.

Vulnerability Details

Published Date

June 22, 2026

Last Modified

June 23, 2026

CWE ID

CWE-20

Source

NVD

Vendor

Capgo

Product

Capgo

External References

https://github.com/Cap-go/capgo/security/advisories/GHSA-42vv-8j94-24wj
https://www.vulncheck.com/advisories/capgo-subkey-enforcement-bypass-via-x-limited-key-id-header-parsing
https://github.com/Cap-go/capgo/security/advisories/GHSA-42vv-8j94-24wj

CVE-2026-56306

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment