CVE-2026-56319

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2

Description An information disclosure issue exists in the 'GET /statistics/app/:app id' endpoint. This allows users with app-limited API keys to identify existing sibling app IDs by analyzing differential error responses. Specifically, attackers can enumerate valid app IDs outside their authorized scope by distinguishing between 500 PGRST116 errors, which occur for inaccessible apps, and 401 errors, which occur for nonexistent apps, thereby compromising tenant isolation.

Recommendations Update to version 12.128.2. Restrict access to the 'GET /statistics/app/:app id' endpoint or the app id parameter to minimize the risk of enumeration.