CVE-2026-56303
Capgo · Capgo
A vulnerability in Capgo allows unauthenticated attackers to perform sensitive information disclosure through a security-definer RPC function.
Executive summary
A critical information disclosure vulnerability in Capgo versions prior to 12.128.2 could allow unauthenticated attackers to access sensitive metadata.
Vulnerability
This vulnerability (CWE-200) involves the exposure of sensitive information to an unauthorized actor via a security-definer RPC function, which does not require authentication.
Business impact
Successful exploitation of this flaw could lead to the unauthorized exposure of sensitive system metadata, potentially providing an attacker with the necessary information to conduct further attacks. Given the CVSS score of 7.5, this high-severity vulnerability poses a significant risk to the confidentiality of organizational data managed within the Capgo environment.
Remediation
Immediate Action: Update Capgo to version 12.128.2 or later to apply the security fix.
Proactive Monitoring: Review access logs for unusual RPC calls or unexpected metadata requests originating from external or unauthorized sources.
Compensating Controls: Implement network-level restrictions or a Web Application Firewall (WAF) to block unauthorized access to administrative RPC endpoints.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The risk associated with this vulnerability is high due to the lack of required authentication for access. System administrators should prioritize upgrading to version 12.128.2 immediately to ensure that sensitive metadata is no longer exposed to unauthenticated actors.