PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56303 Capgo CVE debrief

CVE-2026-56303 is an information disclosure vulnerability in Capgo before 12.128.2. The vulnerability is located in the find_apikey_by_value PostgreSQL function, which is marked SECURITY DEFINER and executable by the anon role. This allows unauthenticated attackers to call this function via the /rest/v1/rpc/find_apikey_by_value endpoint to retrieve sensitive API key metadata, including user_id, mode, org scoping, and expiration details when supplied a valid key value. The source details are limited, and defenders should verify the affected scope and severity with the vendor.

Vendor
Capgo
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Users of Capgo before version 12.128.2 should be aware of this vulnerability and take steps to mitigate it. This vulnerability is particularly concerning because it allows unauthenticated attackers to access sensitive information. Operators, platform administrators, vulnerability management teams, and security teams should review the affected product scope and take necessary actions to protect sensitive API key metadata.

Technical summary

The find_apikey_by_value PostgreSQL function in Capgo before 12.128.2 is marked SECURITY DEFINER and executable by the anon role. This function can be called via the /rest/v1/rpc/find_apikey_by_value endpoint, allowing unauthenticated attackers to retrieve sensitive API key metadata, including user_id, mode, org scoping, and expiration details when supplied a valid key value. The vulnerability is particularly concerning because it allows unauthenticated attackers to access sensitive information. Users of Capgo before version 12.128.2 should be aware of this vulnerability and take steps to mitigate it.

Defensive priority

High

Recommended defensive actions

  • Update Capgo to version 12.128.2 or later
  • Restrict access to the /rest/v1/rpc/find_apikey_by_value endpoint
  • Monitor for suspicious activity on the /rest/v1/rpc/find_apikey_by_value endpoint
  • Consider implementing additional security measures to protect sensitive API key metadata
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-11T14:16:21.820Z and has not been modified since then. The NVD entry is currently Received. The information disclosure vulnerability in Capgo before 12.128.2 is located in the find_apikey_by_value PostgreSQL function, which is marked SECURITY DEFINER and executable by the anon role. This allows unauthenticated attackers to call this function via the /rest/v1/rpc/find_apikey_by_value endpoint to retrieve sensitive API key metadata, including user_id, mode, org scoping, and expiration details when supplied a valid key value. The source details are limited, and defenders should verify the affected scope and severity with the vendor.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T14:16:21.820Z and has not been modified since then.