A critical broken-authentication flaw in Capgo lets unauthenticated attackers forge arbitrary API keys and reach protected endpoints; it is fixed in version 12.128.2.
What Is It
CVE-2026-56237 is a broken authentication vulnerability (CWE-287) in Capgo's API key generation mechanism. According to the NVD record, API keys are exposed in frontend requests, and the backend fails to validate that keys are securely generated and bound to the authenticated user. An attacker can tamper with the API key parameter in the generation request and supply arbitrary values, generating custom API keys without proper authorization. This can lead to unauthorized access to protected endpoints.
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.1 (CRITICAL), with a secondary CVSS 4.0 score of 9.3. The vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) shows the issue is exploitable over the network, with low attack complexity, no privileges, and no user interaction required, while inflicting high impact on both confidentiality and integrity. In practice, an unauthenticated remote attacker can mint valid credentials and access data they should never see; a low-effort, high-payoff condition.
Note: No CISA KEV entry was supplied for this CVE, so active exploitation is not confirmed in the provided source material.
What's Vulnerable
Per the affected-version data, all Capgo releases before 12.128.2 are affected. Version 12.128.2 and later are listed as unaffected. The supplied record includes no affected CPE entries beyond this version range.
Patch Status
Capgo version 12.128.2 resolves the vulnerability. Organizations running any earlier version should upgrade to 12.128.2 or later. The vendor security advisory (GHSA-22w2-mx2h-4fr7) and the VulnCheck advisory provide further detail. No CISA-mandated remediation action was included in the supplied data.