CVE-2026-56242 Capgo CVE debrief

Who should care

Defenders of Capgo installations, especially those with exposed API keys or user identity sensitive information, should be aware of this vulnerability. Security teams responsible for API key management and user identity protection need to assess their exposure and take action. Additionally, developers and administrators of applications using Capgo should review their configurations and update to a patched version.

Technical summary

The vulnerability exists in Capgo before version 12.128.2. An unauthenticated RPC function, get_identity_apikey_only, can be exploited to determine the validity of API keys and disclose user identities. Attackers can use this information to chain attacks into other exposed RPCs, such as get_orgs_v6, to retrieve organization membership and management email PII. The CVSS:4.0 vector is AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High priority due to potential for user identity disclosure and API key exploitation.

Recommended defensive actions

• Inventory Capgo installations and verify current version
• Review and limit exposure of API keys
• Update Capgo to version 12.128.2 or later
• Monitor for suspicious RPC function calls
• Implement compensating controls for API key management

Evidence notes

The primary evidence for this vulnerability comes from the CVE record and NVD detail pages. The vulnerability affects Capgo versions before 12.128.2. The unauthenticated RPC function get_identity_apikey_only can be used to disclose user identities and validate API keys. Defenders should verify their Capgo installations and review API key management practices.

Official resources