PatchSiren cyber security CVE debrief
CVE-2026-56303 Capgo CVE debrief
CVE-2026-56303 is an information disclosure vulnerability in Capgo before 12.128.2. The vulnerability is located in the find_apikey_by_value PostgreSQL function, which is marked SECURITY DEFINER and executable by the anon role. This allows unauthenticated attackers to call this function via the /rest/v1/rpc/find_apikey_by_value endpoint to retrieve sensitive API key metadata, including user_id, mode, org scoping, and expiration details when supplied a valid key value. The source details are limited, and defenders should verify the affected scope and severity with the vendor.
- Vendor
- Capgo
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Users of Capgo before version 12.128.2 should be aware of this vulnerability and take steps to mitigate it. This vulnerability is particularly concerning because it allows unauthenticated attackers to access sensitive information. Operators, platform administrators, vulnerability management teams, and security teams should review the affected product scope and take necessary actions to protect sensitive API key metadata.
Technical summary
The find_apikey_by_value PostgreSQL function in Capgo before 12.128.2 is marked SECURITY DEFINER and executable by the anon role. This function can be called via the /rest/v1/rpc/find_apikey_by_value endpoint, allowing unauthenticated attackers to retrieve sensitive API key metadata, including user_id, mode, org scoping, and expiration details when supplied a valid key value. The vulnerability is particularly concerning because it allows unauthenticated attackers to access sensitive information. Users of Capgo before version 12.128.2 should be aware of this vulnerability and take steps to mitigate it.
Defensive priority
High
Recommended defensive actions
- Update Capgo to version 12.128.2 or later
- Restrict access to the /rest/v1/rpc/find_apikey_by_value endpoint
- Monitor for suspicious activity on the /rest/v1/rpc/find_apikey_by_value endpoint
- Consider implementing additional security measures to protect sensitive API key metadata
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-11T14:16:21.820Z and has not been modified since then. The NVD entry is currently Received. The information disclosure vulnerability in Capgo before 12.128.2 is located in the find_apikey_by_value PostgreSQL function, which is marked SECURITY DEFINER and executable by the anon role. This allows unauthenticated attackers to call this function via the /rest/v1/rpc/find_apikey_by_value endpoint to retrieve sensitive API key metadata, including user_id, mode, org scoping, and expiration details when supplied a valid key value. The source details are limited, and defenders should verify the affected scope and severity with the vendor.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T14:16:21.820Z and has not been modified since then.