CVE-2026-56303
Published: July 11, 2026•Last Modified: July 11, 2026
CVSS SCORE
7.5
HIGH
Vulnerability Description
Capgo before 12.128.2 contains an information disclosure vulnerability in the find_apikey_by_value PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can call this function via the /rest/v1/rpc/find_apikey_by_value endpoint to retrieve sensitive API key metadata including user_id, mode, org scoping, and expiration details when supplied a valid key value.
Affected Products & Versions
No configurations parsed from local entry.
Security Advisories & References
Mitigation & Remediation
Update the affected packages to a secure version. Refer to vendor security advisories.
Share Advisory
Copy the standardized markdown formatted vulnerability report to post in Slack, Teams, email, or ticketing systems.
# HIGH - CVE-2026-56303
## EFFECT
Capgo before 12.128.2 contains an information disclosure vulnerability in the find_apikey_by_value PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can call this function via the /rest/v1/rpc/find_apikey_by_value endpoint to retrieve sensitive API key metadata including user_id, mode, org scoping, and expiration details when supplied a valid key value.
## AFFECTED
Unknown products
## LINKS
- [github.com](https://github.com/Cap-go/capgo/security/advisories/GHSA-2xjq-h43m-592f)
- [www.vulncheck.com](https://www.vulncheck.com/advisories/capgo-unauthenticated-api-key-metadata-disclosure-via-security-definer-rpc-function)
## SOLUTION
- Update the affected packages to a secure version. Refer to vendor security advisories.