CVE-2026-56229

Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched app id and job id combination. Limited API keys restricted to a single app can retrieve build status and logs from other apps by providing an authorized app id while using a job id from an unauthorized app, exposing sensitive build information including logs, metadata, and potentially credentials.