Back to Dashboard

CVE-2026-56303

Published: July 11, 2026Last Modified: July 11, 2026
CVSS SCORE
7.5
HIGH

Vulnerability Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the find_apikey_by_value PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can call this function via the /rest/v1/rpc/find_apikey_by_value endpoint to retrieve sensitive API key metadata including user_id, mode, org scoping, and expiration details when supplied a valid key value.

Affected Products & Versions

No configurations parsed from local entry.

Mitigation & Remediation

Update the affected packages to a secure version. Refer to vendor security advisories.

Share Advisory

Copy the standardized markdown formatted vulnerability report to post in Slack, Teams, email, or ticketing systems.

# HIGH - CVE-2026-56303 ## EFFECT Capgo before 12.128.2 contains an information disclosure vulnerability in the find_apikey_by_value PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can call this function via the /rest/v1/rpc/find_apikey_by_value endpoint to retrieve sensitive API key metadata including user_id, mode, org scoping, and expiration details when supplied a valid key value. ## AFFECTED Unknown products ## LINKS - [github.com](https://github.com/Cap-go/capgo/security/advisories/GHSA-2xjq-h43m-592f) - [www.vulncheck.com](https://www.vulncheck.com/advisories/capgo-unauthenticated-api-key-metadata-disclosure-via-security-definer-rpc-function) ## SOLUTION - Update the affected packages to a secure version. Refer to vendor security advisories.