CVE-2026-56316 Cap-go CVE debrief

Who should care

Users of Cap-go versions before 12.128.2 should be aware of this vulnerability and take necessary actions to secure their installations. This includes reviewing the endpoint configurations and ensuring that the system is updated to the latest version. Security teams and administrators responsible for maintaining Cap-go installations should prioritize this vulnerability and plan for mitigation.

Technical summary

The vulnerability is located in the OPTIONS /build/upload/:jobId/* endpoint of Cap-go. An unauthenticated attacker can probe this endpoint to distinguish between valid and invalid job IDs, leading to potential enumeration of valid job IDs. This could result in sustained unauthenticated traffic for resource consumption. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Medium priority due to potential for resource consumption and information disclosure through enumeration.

Recommended defensive actions

• Update Cap-go to version 12.128.2 or later
• Review and restrict access to the OPTIONS /build/upload/:jobId/* endpoint
• Monitor for unusual traffic patterns that could indicate exploitation attempts
• Implement rate limiting on the affected endpoint
• Verify the system's current version and configuration

Evidence notes

The primary evidence for this vulnerability comes from the CVE record and the NVD detail page. The vulnerability affects Cap-go versions before 12.128.2. The endpoint in question allows unauthenticated attackers to probe for valid job IDs. Users should verify their current version of Cap-go and review the endpoint configurations to ensure they are not exposed.

Official resources