← back
CVE-2026-56232

Capgo - Subkey Scope Bypass in middlewareKey via x-limited-key-id Header

CVSS 8.7 HIGHEPSS 0.3%CWE-863
Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestricted parent key instead of the scoped subkey.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Capgo · Capgo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/Cap-go/capgo/security/advisories/GHSA-2h89-vcvx-5pvhhttps://www.vulncheck.com/advisories/capgo-subkey-scope-bypass-in-middlewarekey-via-x-limited-key-id-header