CVE-2026-56295 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-56295

CVE-2026-56295

Published:June 20, 2026

Updated:June 29, 2026

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with legacy non-expiring keys to list, create, and delete webhooks despite explicit organizational policy requiring key expiration.

Affected Packages

https://github.com/Cap-go/capgo.git (GITHUB):

Affected version(s) >=capgo-12.123.9 <capgo-12.128.2

Fix Suggestion:

Update to version capgo-12.128.2

Related Resources (2)

https://github.com/Cap-go/capgo/security/advisories/GHSA-vwpp-cqv5-cmfm

https://www.vulncheck.com/advisories/capgo-policy-enforcement-bypass-in-webhook-management-endpoints-via-non-expiring-api-keys

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Weakness Type (CWE)

Improper Authorization

CWE-285

EPSS

Base Score:

0.19