Capgo Vulnerabilities: API Key Escalation and Tenant Bypass

A large group of recently disclosed Capgo vulnerabilities affects versions of the application update platform released before 12.128.2.

The most serious findings include an API key scope-escalation flaw, cross-tenant exposure of webhook secrets, and an authorization failure that could allow an administrator in one organization to target applications belonging to another organization.

Other vulnerabilities expose private deployment channel names, allow application identifiers to be enumerated and make it possible to evade rate limiting by supplying continuously changing device identifiers.

Immediate action: Organizations operating a self-hosted Capgo deployment should upgrade to 12.128.2 or later. Administrators should also rotate Capgo API keys and webhook signing secrets, then review role bindings and administrative activity for unauthorized changes.

Capgo vulnerability overview

CVE	Vulnerability	Authentication	Affected versions
CVE-2026-56216	Restricted API key can create an unrestricted organization key	App-limited API key required	Before 12.128.2
CVE-2026-56079	Cross-tenant webhook secrets and delivery records exposed	Organization read key required	Before 12.128.2
CVE-2026-56222	Cross-organization application role binding	Organization administrator required	Before 12.128.2
CVE-2026-56324	Rate-limit bypass can exhaust the database	None	Before 12.128.2
CVE-2026-56323	Private channel and application enumeration	None	Before 12.128.2
CVE-2026-56319	Application identifiers disclosed through different errors	App-limited API key required	Before 12.128.2
CVE-2026-56325	SQL wildcard matching causes incorrect preview application resolution	Varies by deployment path	Before 12.128.2
CVE-2026-56321	GET role-binding route lacks global authentication middleware	Handler-level authorization remains	Before 12.128.2

What is Capgo?

Capgo is an over-the-air update and release-management platform for applications built with Capacitor. It allows developers to distribute compatible web-layer updates without waiting for a full mobile application release through the Apple App Store or Google Play.

The platform can manage applications, update bundles, deployment channels, API keys, devices, release statistics, organization memberships and webhook integrations.

Capgo supports both a hosted service and self-hosted deployments. The vulnerabilities discussed here concern the Capgo backend and management platform. They do not automatically mean every application using an unrelated Capgo Capacitor plugin is vulnerable.

High-level explanation of the Capgo vulnerabilities

At a high level, the vulnerabilities involve failures to consistently enforce several important security boundaries:

The boundary between restricted and unrestricted API keys
The boundary between separate customer organizations
The boundary between public and authenticated endpoints
The boundary between organization administrators and application owners
The boundary between user-controlled identifiers and trusted rate-limit identifiers

The most important issue is CVE-2026-56216. It could allow an attacker who obtained a limited API key for one application to create a second API key without the original application restriction.

Compromise an app-limited API key
              ↓
Request creation of another API key
              ↓
Submit an empty application limit
              ↓
Capgo treats the new key as unrestricted
              ↓
Access organization-wide resources

This does not provide an unauthenticated entry point. The attacker must first obtain a valid restricted API key. However, those keys may be stored in CI/CD systems, build scripts, environment variables, developer workstations or deployment logs.

CVE-2026-56216: API key scope escalation

CVE-2026-56216 affects the following Capgo endpoint:

POST /functions/v1/apikey

Capgo allows API keys to be limited to specific applications. A build system, for example, might receive permission to upload updates for one application without being allowed to view or manage every application in the organization.

In vulnerable Capgo versions, an app-limited API key could request the creation of another key while supplying an empty application limit.

{
  "name": "deployment-key",
  "limited_to_apps": []
}

The empty list was treated as an unrestricted scope rather than being constrained by the permissions of the calling key.

new_key_scope must be equal to or narrower than caller_scope

The vulnerability has the following published ratings:

CVSS 4.0: 8.7 High
CVSS 3.1: 8.8 High

The vulnerability is fixed in Capgo 12.128.2.

CVE-2026-56079: cross-tenant webhook-secret exposure

CVE-2026-56079 is a cross-tenant authorization bypass affecting Capgo’s PostgREST-backed webhook endpoints.

An organization-scoped read API key could access webhook records and webhook-delivery information belonging to other Capgo tenants.

Webhook HMAC signing secrets
Webhook destination information
Webhook delivery payloads
Webhook delivery history
Operational metadata

signature = HMAC(shared_secret, request_body)

If an attacker obtains that secret and reproduces Capgo’s expected signing format, the attacker could potentially create a webhook payload with a valid signature.

The downstream impact depends on how the receiving application validates webhook signatures, checks timestamps or replay protections, and acts on accepted events.

CVSS 4.0: 7.1 High
CVSS 3.1: 6.5 Medium

CVE-2026-56222: cross-organization application access

CVE-2026-56222 affects:

POST /private/role_bindings

The endpoint did not properly verify that the application identified by app_id belonged to an organization the caller was authorized to administer.

Administrator in Organization A
              ↓
Creates a new application role binding
              ↓
Supplies an app_id belonging to Organization B
              ↓
Capgo fails to verify application ownership
              ↓
Unauthorized access to the victim application

The NVD description states that this could enable unauthorized reading and modification of victim applications.

CVSS 4.0: 8.6 High
CVSS 3.1: 7.2 High

CVE-2026-56324: rate-limit bypass and database exhaustion

CVE-2026-56324 affects the Capgo channel_self endpoint.

The endpoint used the user-controlled device_id value as part of its rate-limiting logic. An attacker could evade the limit by changing that value with every request.

device_id=device-00001
device_id=device-00002
device_id=device-00003
device_id=device-00004

At sufficient volume, this could cause rapid database growth, higher storage costs, application slowdowns and denial of service.

CVE-2026-56323: unauthenticated channel enumeration

CVE-2026-56323 affects:

GET /functions/v1/channel_self

Unauthenticated attackers could submit arbitrary application identifiers and use the endpoint to disclose non-public deployment channel names, application existence, valid application identifiers and subscription status.

CVE-2026-56319: application-ID enumeration through error differences

CVE-2026-56319 affects:

GET /statistics/app/:app_id

An app-limited API key could determine whether sibling application identifiers existed outside its authorized scope by comparing error responses.

Existing but inaccessible application: 500 PGRST116
Nonexistent application: 401

CVSS 4.0: 5.3 Medium
CVSS 3.1: 4.3 Medium

CVE-2026-56325: SQL wildcard confusion

CVE-2026-56325 concerns the application lookup used by Capgo’s preview-subdomain resolver.

The affected query used SQL ILIKE pattern matching instead of an exact comparison for the application identifier.

WHERE app_id ILIKE :app_id

instead of:

WHERE app_id = :app_id

A specially constructed application identifier containing wildcard characters could match another identifier that was not exactly equal.

CVE-2026-56321: inconsistent authentication middleware

CVE-2026-56321 is separate from CVE-2026-56222.

GET /private/role_bindings/:org_id

The GET route did not apply the same global authentication middleware used by the POST and DELETE routes. However, the handler still performed its own authorization check and returned Unauthorized, so no direct data exposure was documented.

CVSS 4.0: 6.9 Medium
CVSS 3.1: 5.3 Medium

Affected Capgo versions

Capgo versions earlier than 12.128.2

The common fixed release is:

Capgo 12.128.2

Who needs to take action?

Self-hosted Capgo administrators

Upgrade the Capgo backend to 12.128.2 or later
Apply associated database migrations
Redeploy or restart affected services
Confirm the active server version
Rotate API keys and webhook secrets
Review database and application logs

Capgo hosted-service customers

Confirm remediation status with Capgo
Rotate sensitive API keys
Rotate webhook HMAC secrets
Review organization memberships
Review application role bindings
Investigate unexplained API or webhook activity

How to detect possible exploitation

API key indicators

Keys created by app-limited credentials
New keys with empty application restrictions
Unrestricted keys created by identities expected to have limited access
Unexpected API key names
Organization-wide API requests immediately after key creation
API keys used from previously unseen network locations

Webhook indicators

Read API keys querying webhook records unexpectedly
Bulk access to webhook-delivery history
Queries involving unfamiliar organization identifiers
Correctly signed webhook messages from unexpected sources
Valid signatures attached to unexpected event types
Repeated or replayed webhook events

Role-binding indicators

Applications that do not belong to the associated organization
Unexpected users or service accounts
New app-scoped permissions created by organization administrators
Recent role-binding activity targeting unfamiliar application IDs

Channel and database indicators

Rapidly rotating device_id values
Generated or sequential-looking device identifiers
Large numbers of records with no later device activity
Sudden table-size growth
High request volume from a small set of network sources
Repeated requests containing different app_id values

Related ITKnowledgeBases Tools

Capgo remediation guidance

1. Upgrade to Capgo 12.128.2 or later

Upgrade the backend and apply every required database migration. Confirm that production is running the corrected code.

2. Revoke and rotate API keys

App-limited keys
Organization-wide keys
Keys stored in GitHub Actions or other CI/CD systems
Keys stored in environment files
Keys exposed in build output or logs
Keys shared between people or systems

3. Rotate webhook signing secrets

Replace webhook HMAC secrets and update every receiving service.

4. Audit application and organization permissions

Verify that every application-scoped role binding references an application owned by the expected organization.

5. Add compensating controls

Reverse-proxy rate limiting
Web application firewall rules
Network restrictions for administrative endpoints
Centralized API request logging
Alerts for API key creation
Alerts for role-binding changes
Database growth and query-rate monitoring

Are the Capgo vulnerabilities remote code execution?

No. None of the vulnerabilities described in this advisory should be presented as remote code execution.

The documented impacts include API key privilege escalation, cross-tenant information disclosure, unauthorized application access, webhook-secret exposure, application and channel enumeration, and database resource exhaustion.

Final assessment

The Capgo vulnerability cluster is more important than any one CVE in isolation.

CVE-2026-56216 could convert a narrowly scoped application key into an unrestricted organization credential. CVE-2026-56079 could expose webhook secrets across tenant boundaries. CVE-2026-56222 could allow an administrator in one organization to create access targeting an application owned by another organization.

Organizations using Capgo should upgrade to version 12.128.2 or later, rotate API keys and webhook secrets, audit role bindings and examine logs for suspicious credential creation, cross-tenant access and high-volume channel requests.

Frequently asked questions

What versions of Capgo are vulnerable?

The primary vulnerabilities in this advisory affect Capgo versions earlier than 12.128.2.

What is the most serious Capgo CVE?

CVE-2026-56216 is one of the most significant findings because a compromised app-limited API key could create an unrestricted key with organization-wide access.

Does CVE-2026-56216 require authentication?

Yes. An attacker must first possess a valid app-limited API key.

Can the Capgo vulnerabilities lead to remote code execution?

No remote code execution is documented for the vulnerabilities covered in this advisory.

Are all applications using a Capgo plugin vulnerable?

No. These findings primarily affect the Capgo backend and management platform.

Should Capgo webhook secrets be rotated?

Yes. Because CVE-2026-56079 could expose cross-tenant webhook HMAC secrets, affected organizations should rotate those secrets after confirming the platform has been patched.

What should administrators do first?

Upgrade Capgo to 12.128.2 or later, verify the running backend version, revoke and rotate API keys, rotate webhook signing secrets, and audit role bindings.

Capgo Vulnerabilities Allow API Key Escalation and Cross-Tenant Access

Get Future ITKB Cheat Sheets