CVE-2026-56306

MEDIUM NVD

CVSS Score 6.4

Severity MEDIUM

Published Jun 22, 2026

Vendor unknown

Description

Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header to disable limited key scoping and execute requests using the main API key context instead of restricted subkey permissions.

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-42vv-8j94-24wj
https://www.vulncheck.com/advisories/capgo-subkey-enforcement-bypass-via-x-limited-key-id-header-parsing