Capgo API Key Information Disclosure Vulnerability (CVE-2026-56303)
An information disclosure vulnerability (CVE-2026-56303) in Capgo versions before 12.128.2 allows unauthenticated attackers to retrieve sensitive API key metadata, including user ID, mode, organization scoping, and expiration details, by exploiting a misconfigured PostgreSQL function via the `/rest/v1/rpc/find_apikey_by_value` endpoint.
A critical information disclosure vulnerability, identified as CVE-2026-56303, exists in Capgo software versions prior to 12.128.2. This flaw stems from a misconfiguration within the find_apikey_by_value PostgreSQL function, which is marked with SECURITY DEFINER and is unexpectedly executable by the anon role. Unauthenticated attackers can exploit this by sending a specially crafted HTTP POST request to the /rest/v1/rpc/find_apikey_by_value endpoint. When a valid API key value is supplied, the vulnerable function retrieves and discloses sensitive API key metadata, including user_id, mode, org scoping, and expiration details. This vulnerability allows attackers to gather crucial information that could lead to unauthorized access, privilege escalation, or further targeted attacks against the Capgo instance and its associated services, posing a significant risk to data confidentiality.
Attack Chain
- Vulnerability Identification: An attacker identifies a Capgo instance running a version prior to 12.128.2, making it susceptible to CVE-2026-56303.
- Request Construction: The attacker crafts an unauthenticated HTTP POST request specifically targeting the
/rest/v1/rpc/find_apikey_by_valueendpoint. - API Key Provision: The attacker includes a valid API key value within the body or parameters of the POST request, which may have been guessed, leaked, or brute-forced.
- Function Execution: The Capgo application receives the request and, due to the
find_apikey_by_valuePostgreSQL function being markedSECURITY DEFINERand executable by theanonrole, it executes the function with elevated privileges. - Database Query: The executed PostgreSQL function queries the underlying database for metadata associated with the provided API key.
- Information Disclosure: The Capgo application retrieves the sensitive API key metadata, including
user_id,mode,org scoping, andexpiration details, from the database. - Response Delivery: The application includes this sensitive metadata in the HTTP response body, sending it back to the unauthenticated attacker.
- Data Collection and Abuse: The attacker collects the disclosed API key metadata, which can then be used for unauthorized access, privilege escalation, or further targeted attacks against the Capgo instance or associated services.
Impact
Successful exploitation of CVE-2026-56303 leads to the unauthorized disclosure of sensitive API key metadata. This includes critical information such as user identifiers, operational modes, organizational scope, and expiration details of API keys. While the vulnerability itself does not directly grant arbitrary code execution or full system compromise, the exposed API key metadata can be a crucial stepping stone for attackers to escalate privileges, gain unauthorized access to other systems or data, or circumvent security controls. The impact primarily involves confidentiality breaches, potentially affecting all data accessible via the compromised API keys within the Capgo environment. The number of potentially affected victims corresponds to the total number of Capgo instances running vulnerable versions.
Recommendation
- Patch Capgo instances to version 12.128.2 or later immediately to remediate CVE-2026-56303.
- Deploy the Sigma rule titled "Detects CVE-2026-56303 Exploitation Attempt - Capgo API Key Disclosure" to your SIEM to monitor for exploitation attempts against the
/rest/v1/rpc/find_apikey_by_valueendpoint. - Monitor web server access logs for repeated or unusual POST requests to the
/rest/v1/rpc/find_apikey_by_valueendpoint from untrusted sources or at abnormal frequencies.
Detection coverage 1
Detects CVE-2026-56303 Exploitation Attempt - Capgo API Key Disclosure
highDetects CVE-2026-56303 exploitation - HTTP POST requests to the /rest/v1/rpc/find_apikey_by_value endpoint, which an unauthenticated attacker can call to retrieve sensitive API key metadata due to a misconfigured PostgreSQL function.
Detection queries are available on the platform. Get full rules →