All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-56230
HIGHpublished 2026-06-30 23:17 UTC · 4 days ago · modified 2026-07-01 16:16 UTC
8.7
CVSS / 10
// description
Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited key ID to bypass authorization checks and access unauthorized cross-tenant resources across multiple API endpoints.
// weaknesses (CWE)
- CWE-639