Capgo – Unauthenticated API Key Generation via Client-Side Parameter Manipulation

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails to validate that keys are securely generated and bound to the authenticated user. An attacker can tamper with the API key parameter in the generation request and supply arbitrary values, generating custom API keys without proper authorization, which can lead to unauthorized access to protected endpoints.

AI Analysis

Unauthenticated API key generation via client-side parameter manipulation in Capgo before 12.128.2

Basic Information

ID CVE-2026-56237

Source VulnCheck

Published Jun 24, 2026 at 11:53

Affected Product

Vendor Capgo

Product Capgo

Affected Versions Capgo Capgo 0

CWE Classification

CWE-287

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Capgo

Product Capgo

Version before 12.128.2

References

{
    "lastseen": "",
    "description": "Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails to validate that keys are securely generated and bound to the authenticated user. An attacker can tamper with the API key parameter in the generation request and supply arbitrary values, generating custom API keys without proper authorization, which can lead to unauthorized access to protected endpoints.",
    "published": "2026-06-24T11:53:10.089Z",
    "modified": "2026-06-24T11:53:10.089Z",
    "type": "cve",
    "title": "Capgo - Unauthenticated API Key Generation via Client-Side Parameter Manipulation",
    "source": "VulnCheck",
    "references": "https://github.com/Cap-go/capgo/security/advisories/GHSA-22w2-mx2h-4fr7\nhttps://www.vulncheck.com/advisories/capgo-unauthenticated-api-key-generation-via-client-side-parameter-manipulation",
    "id": "CVE-2026-56237",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "Capgo Capgo 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Capgo",
    "version": "0",
    "vendor": "Capgo",
    "ai_description": "Unauthenticated API key generation via client-side parameter manipulation in Capgo before 12.128.2",
    "ai_severity": "Critical",
    "ai_vendor": "Capgo",
    "ai_product": "Capgo",
    "ai_version": "before 12.128.2",
    "ai_score": 9.3
}

Capgo – Unauthenticated API Key Generation via Client-Side Parameter Manipulation_CVE-2026-56237