CVE-2026-56238

Capgo · Capgo

Capgo before 12.128.2 is vulnerable to an information disclosure flaw that allows unauthenticated actors to access sensitive global statistics.

Executive summary

An unauthenticated information disclosure vulnerability in Capgo allows unauthorized actors to access sensitive system statistics.

Vulnerability

This is an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. The issue stems from the exposure of a PostgREST global statistics endpoint that does not enforce authentication, allowing remote, unauthenticated attackers to extract sensitive system data.

Business impact

This vulnerability carries a CVSS score of 7.5, reflecting the ease of exploitation (unauthenticated) and the potential for significant information disclosure. Unauthorized access to global statistics can reveal metadata or system insights that assist an attacker in planning further, more targeted attacks against the infrastructure.

Remediation

Immediate Action: Update the Capgo software to version 12.128.2 or later, which contains the necessary security fixes.

Proactive Monitoring: Monitor API endpoints and HTTP traffic for anomalous volumes of requests, particularly those directed toward statistics-related endpoints.

Compensating Controls: Use a Web Application Firewall (WAF) to restrict access to sensitive endpoints and block unauthorized requests to internal statistics interfaces.

Exploitation status

Public Exploit Available: No (Exploit_available: false)

Analyst recommendation

The vulnerability is straightforward to exploit due to the lack of required authentication. All users of the affected Capgo versions are strongly encouraged to upgrade to 12.128.2 immediately to prevent unauthorized information leakage and maintain the security posture of their deployment.