CVE-2026-56319

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation.

Vulnerability Details

Published Date

June 20, 2026

Last Modified

June 20, 2026

CWE ID

CWE-203

Source

NVD

Vendor

Capgo

Product

Capgo

External References

https://github.com/Cap-go/capgo/security/advisories/GHSA-73p9-mprg-7r75
https://www.vulncheck.com/advisories/capgo-app-existence-oracle-via-get-statistics-app-app-id

CVE-2026-56319

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment