NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-56242

Summary	Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get_orgs_v6 to retrieve organization membership and management email PII.
Publication Date	June 21, 2026, 11:16 p.m.
Registration Date	June 27, 2026, 4:08 a.m.
Last Update	June 23, 2026, 3:36 a.m.

CVSS3.1 : HIGH
スコア	7.5
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	なし
可用性への影響(A)	なし

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/Cap-go/capgo/security/advisories/GHSA-fhgj-7376-qxwx	disclosure@vulncheck.com
2	https://www.vulncheck.com/advisories/capgo-unauthenticated-api-key-validity-oracle-and-user-identity-disclosure-via-get-identity-apikey-only-rpc	disclosure@vulncheck.com
3	https://github.com/Cap-go/capgo/security/advisories/GHSA-fhgj-7376-qxwx	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List