Capgo - Cross-App Build Job Access via app_id/job_id Mismatch in /build/status and /build/logs | Advisories

Advisories

Capgo - Cross-App Build Job Access via app_id/job_id Mismatch in /build/status and /build/logs

severity: medium
date: 6/21/2026
Affecting: Capgo >= 0, < 12.128.2
CVE: CVE-2026-56229
CWE: CWE-639 Authorization Bypass Through User-Controlled Key
CVSS: 7.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: GHSA Advisory GHSA-2fw5-mcrx-wcqw
Credit: Judel777
Description: Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched app_id and job_id combination. Limited API keys restricted to a single app can retrieve build status and logs from other apps by providing an authorized app_id while using a job_id from an unauthorized app, exposing sensitive build information including logs, metadata, and potentially credentials.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo