PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56319 Capgo CVE debrief

CVE-2026-56319 is a medium-severity information disclosure vulnerability in Capgo before 12.128.2. The vulnerability exists in the GET /statistics/app/:app_id endpoint, enabling app-limited API keys to differentiate between existing and non-existent sibling app IDs through distinct error responses. This issue compromises tenant isolation, allowing attackers to enumerate real app IDs outside their permitted scope. The vulnerability has a CVSS score of 5.3 and is considered a medium threat.

Vendor
Capgo
Product
Unknown
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-20
Original CVE updated
2026-06-22
Advisory published
2026-06-20
Advisory updated
2026-06-22

Who should care

Defenders of Capgo applications, particularly those using versions prior to 12.128.2, should be concerned about this vulnerability. The issue affects the tenant isolation mechanism, potentially allowing unauthorized enumeration of app IDs. Organizations using Capgo should assess their exposure and prioritize patching to prevent potential exploitation.

Technical summary

The vulnerability is located in the GET /statistics/app/:app_id endpoint of Capgo. App-limited API keys can exploit this issue to determine the existence of sibling app IDs by analyzing differential error responses. Specifically, inaccessible apps return a 500 PGRST116 error, while non-existent apps return a 401 error. This allows attackers to enumerate valid app IDs outside their authorized scope, effectively breaking tenant isolation. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Medium priority due to potential for enumeration of app IDs, compromising tenant isolation.

Recommended defensive actions

  • Inventory Capgo applications and versions to identify potential exposure.
  • Review and apply the patch to update Capgo to version 12.128.2 or later.
  • Limit exposure by restricting access to the GET /statistics/app/:app_id endpoint.
  • Monitor for unusual patterns of error responses that could indicate exploitation attempts.
  • Implement compensating controls to detect and prevent unauthorized app ID enumeration.

Evidence notes

The primary evidence for this vulnerability comes from the CVE-2026-56319 record and associated references. The vulnerability affects Capgo versions before 12.128.2. Defenders should verify the version of Capgo in use and check for any existing sibling app IDs that could be enumerated. Official sources, such as the CVE record and vendor advisories, should be consulted for accurate information and mitigation strategies.

Official resources

This article is AI-assisted and based on the supplied source corpus.