CVE-2026-56295

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2

Description An authorization bypass exists in webhook management endpoints. This issue allows non-expiring API keys to bypass the require apikey expiration organization policy because the checkWebhookPermission() function fails to call apikeyHasOrgRightWithPolicy. Consequently, attackers using legacy non-expiring keys can list, create, and delete webhooks even when an organizational policy explicitly requires key expiration.

Recommendations Update to version 12.128.2 or later.