Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-56237— Capgo - Unauthenticated API Key Generation via Client-Side Parameter Manipulation

CVSS 9.1 · Critical EPSS 0.29% · P21

Affected Version Matrix 2

VendorProductVersion RangeStatus
CapgoCapgo< 12.128.2affected
12.128.2unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-56237

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Capgo - Unauthenticated API Key Generation via Client-Side Parameter Manipulation
Source: NVD (National Vulnerability Database)
Vulnerability Description
Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails to validate that keys are securely generated and bound to the authenticated user. An attacker can tamper with the API key parameter in the generation request and supply arbitrary values, generating custom API keys without proper authorization, which can lead to unauthorized access to protected endpoints.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
CapgoCapgo 0 ~ 12.128.2 -

II. Public POCs for CVE-2026-56237

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-56237

登录查看更多情报信息。

Vendor Advisories for CVE-2026-56237 (2)

Same Patch Batch · Capgo · 2026-06-24 · 10 CVEs total

CVE-2026-562328.8 HIGHCapgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header
CVE-2026-562238.7 HIGHCapgo - Account Takeover via Cross-Domain SSO Email Assertion in provision-user
CVE-2026-562317.6 HIGHCapgo - Broken Object Level Authorization in Build Job Control via jobId Parameter
CVE-2026-562447.1 HIGHCapgo - Webhook Signing Secret Disclosure via Non-Admin API Key
CVE-2026-562567.1 HIGHCapgo - Two-Factor Authentication Bypass via Organization Management API
CVE-2026-562577.1 HIGHCapgo - Authorization Bypass in App Ownership Transfer via Direct PostgREST Update
CVE-2026-563026.5 MEDIUMCapgo - Unsecured Supabase Images Bucket via Missing Row Level Security
CVE-2026-563375.3 MEDIUMCapgo - Information Disclosure via Unauthenticated RPC Function exist_app_v2
CVE-2026-563385.3 MEDIUMCapgo - Denial of Service in 2FA Email Verification via /auth/v1/otp Endpoint

IV. Related Vulnerabilities

V. Comments for CVE-2026-56237

No comments yet


Leave a comment