Capgo before 12.128.2 contains a broken object level...
High severity
Unreviewed
Published
Jul 1, 2026
to the GitHub Advisory Database
•
Updated Jul 1, 2026
Description
Published by the National Vulnerability Database
Jun 30, 2026
Published to the GitHub Advisory Database
Jul 1, 2026
Last updated
Jul 1, 2026
Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited key ID to bypass authorization checks and access unauthorized cross-tenant resources across multiple API endpoints.
References