PT-2026-57429 · Postgresql Global Development Group+1 · Postgresql+1

Judel777

·

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-56303

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2
Description An information disclosure issue exists in the find apikey by value() PostgreSQL function. This function is marked as SECURITY DEFINER, which allows it to run with the privileges of the user who created it, and is executable by the anon role. Unauthenticated attackers can access the '/rest/v1/rpc/find apikey by value' endpoint to retrieve sensitive API key metadata, such as user id, mode, org scoping, and expiration details, by providing a valid key value.
Recommendations Update to version 12.128.2 or later. As a temporary mitigation, restrict access to the '/rest/v1/rpc/find apikey by value' endpoint.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56303
GHSA-2XJQ-H43M-592F

Affected Products

Cap-Go
Postgresql