CVE-2026-56242

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2

Description An unauthenticated security definer RPC function get identity apikey only() returns the owning user id for supplied API keys. This creates an API key validity oracle—a mechanism that allows an attacker to determine if a specific key is valid—and a user identity disclosure primitive. Attackers can call this endpoint with various API keys to confirm their validity and map them to user identifiers. These results can then be used with other exposed RPCs, such as get orgs v6(), to retrieve organization membership and management email personally identifiable information (PII).

Recommendations Update to version 12.128.2 or later. As a temporary workaround, restrict access to the get identity apikey only() function.