PT-2026-57429 · Postgresql Global Development Group+1 · Postgresql+1
Judel777
·
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2026-56303
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Capgo versions prior to 12.128.2
Description
An information disclosure issue exists in the
find apikey by value() PostgreSQL function. This function is marked as SECURITY DEFINER, which allows it to run with the privileges of the user who created it, and is executable by the anon role. Unauthenticated attackers can access the '/rest/v1/rpc/find apikey by value' endpoint to retrieve sensitive API key metadata, such as user id, mode, org scoping, and expiration details, by providing a valid key value.Recommendations
Update to version 12.128.2 or later.
As a temporary mitigation, restrict access to the '/rest/v1/rpc/find apikey by value' endpoint.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cap-Go
Postgresql