Cap-go – Job Existence Oracle via Unauthenticated OPTIONS /build/upload/:jobId/*

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.

Basic Information

ID CVE-2026-56316

Source VulnCheck

Published Jun 21, 2026 at 13:26

Affected Product

Vendor Cap-go

Product capgo

Affected Versions Cap-go capgo 0

CWE Classification

CWE-203

References

{
    "lastseen": "",
    "description": "Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.",
    "published": "2026-06-21T13:26:56.210Z",
    "modified": "2026-06-21T13:26:56.210Z",
    "type": "cve",
    "title": "Cap-go - Job Existence Oracle via Unauthenticated OPTIONS /build/upload/:jobId/*",
    "source": "VulnCheck",
    "references": "https://github.com/Cap-go/capgo/security/advisories/GHSA-9c2x-7h5x-37gm\nhttps://www.vulncheck.com/advisories/cap-go-job-existence-oracle-via-unauthenticated-options-build-upload-jobid",
    "id": "CVE-2026-56316",
    "bulletinFamily": "",
    "cwe": [
        "CWE-203"
    ],
    "cvelist": null,
    "sourceData": "Cap-go capgo 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "capgo",
    "version": "0",
    "vendor": "Cap-go",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Cap-go – Job Existence Oracle via Unauthenticated OPTIONS /build/upload/:jobId/*_CVE-2026-56316