Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires a valid non-expiring API key (PR:L, AV:N); impact is limited to webhook-scope confidentiality, integrity, and availability with no scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with legacy non-expiring keys to list, create, and delete webhooks despite explicit organizational policy requiring key expiration.
AnalysisAI
Webhook management endpoints in Capgo before 12.128.2 expose an authorization policy bypass that allows holders of non-expiring API keys to circumvent the organization-level require_apikey_expiration policy. The checkWebhookPermission function omits the required call to apikeyHasOrgRightWithPolicy, leaving webhook operations - listing, creating, and deleting - accessible to legacy non-expiring keys even when the organization has explicitly mandated key expiration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires possession of a valid non-expiring API key for the target Capgo organization - the attacker must already hold authenticated access at the API key level (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 (Medium) correctly reflects network accessibility (AV:N), low attack complexity (AC:L), and a low-privilege prerequisite (PR:L - a valid API key), with limited confidentiality, integrity, and availability impacts (VC:L/VI:L/VA:L) confined to the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or has stolen a non-expiring Capgo API key for an organization that has activated the require_apikey_expiration policy sends authenticated API requests directly to webhook management endpoints; because checkWebhookPermission does not invoke the policy check, the requests succeed silently. The attacker can enumerate existing webhooks to map the organization's CI/CD integrations, delete legitimate webhook receivers to disrupt mobile app live-update deployments, or inject a malicious webhook URL to intercept delivery events and potentially manipulate the update pipeline. … |
| Remediation | The primary fix is to upgrade Capgo to version 12.128.2 or later, which introduces the missing apikeyHasOrgRightWithPolicy call within checkWebhookPermission, closing the policy-enforcement gap. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin
Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal
Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a
Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering
Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo
Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing
Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se
Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (
Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin
Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38122
GHSA-99cw-mv92-985v