Capgo – Unauthenticated API Key Validity Oracle and User Identity...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get_orgs_v6 to retrieve organization membership and management email PII.

Basic Information

ID CVE-2026-56242

Source VulnCheck

Published Jun 21, 2026 at 13:26

Affected Product

Vendor Capgo

Product Capgo

Affected Versions Capgo Capgo 0

CWE Classification

CWE-200

References

{
    "lastseen": "",
    "description": "Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys to confirm key validity and map keys to user identifiers, then chain results into other exposed RPCs like get_orgs_v6 to retrieve organization membership and management email PII.",
    "published": "2026-06-21T13:26:52.807Z",
    "modified": "2026-06-21T13:26:52.807Z",
    "type": "cve",
    "title": "Capgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC",
    "source": "VulnCheck",
    "references": "https://github.com/Cap-go/capgo/security/advisories/GHSA-fhgj-7376-qxwx\nhttps://www.vulncheck.com/advisories/capgo-unauthenticated-api-key-validity-oracle-and-user-identity-disclosure-via-get-identity-apikey-only-rpc",
    "id": "CVE-2026-56242",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "Capgo Capgo 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Capgo",
    "version": "0",
    "vendor": "Capgo",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Capgo – Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC_CVE-2026-56242