Capgo - App Existence Oracle via GET /statistics/app/:app_id | Advisories

Advisories

Capgo - App Existence Oracle via GET /statistics/app/:app_id

severity: medium
date: 6/20/2026
Affecting: Capgo >= 0, < 12.128.2
CVE: CVE-2026-56319
CWE: CWE-203 Observable Discrepancy
CVSS: 5.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References: GHSA Advisory GHSA-73p9-mprg-7r75
Credit: Judel777
Description: Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo