CVE-2026-56252 in Capgo
Summary
by MITRE • 07/12/2026
Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks outside their declared app boundary, bypassing the limited_to_apps authorization check.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/12/2026
This vulnerability represents a critical scope isolation flaw in the Capgo platform affecting versions prior to 12.128.2. The issue manifests within the POST /webhooks/test endpoint where proper authorization boundaries fail to enforce the intended access controls. The core technical flaw stems from inadequate validation of API key scopes during webhook invocation processes, allowing malicious actors with limited app-scoped credentials to escalate their privileges and execute organization-wide webhook operations.
The vulnerability operates through a fundamental breakdown in the authorization model where app-scoped API keys should be restricted to actions within their declared application boundaries. However, the system fails to properly validate whether the webhook operation being triggered aligns with the scope limitations defined by the issuing API key. This creates an unauthorized access path that permits attackers to leverage their limited credentials to initiate outbound webhook deliveries for any organization webhook configuration regardless of their actual authorization level.
From an operational impact perspective, this vulnerability exposes organizations to significant security risks including potential data exfiltration through webhook payloads, unauthorized system notifications, and possible cascading effects on integrated third-party services. The attack vector allows adversaries to bypass standard access controls that should prevent app-scoped users from accessing organization-wide resources, effectively undermining the principle of least privilege enforcement. This type of scope escalation vulnerability directly relates to CWE-284 which addresses improper access control mechanisms and aligns with ATT&CK technique T1078.004 for valid accounts usage.
The security implications extend beyond immediate unauthorized webhook execution as attackers can potentially use this vulnerability to enumerate organization webhook configurations, map system integrations, and craft more sophisticated attacks leveraging the bypassed authorization checks. Organizations may experience unintended data flows through webhook channels that were never intended to be accessible by app-scoped users, creating potential exposure for sensitive information processing and system integrity.
Mitigation strategies should focus on implementing strict scope validation mechanisms for all webhook operations, ensuring that API key permissions are properly enforced at the endpoint level. The fix requires enhanced authorization checks that verify both the identity of the requesting API key and its appropriate scope limitations before allowing webhook execution. Organizations should also consider implementing additional monitoring for unusual webhook activity patterns and establish proper access control policies that prevent app-scoped credentials from triggering org-scoped operations. Regular security assessments should validate that authorization boundaries remain properly enforced across all application endpoints to prevent similar scope isolation vulnerabilities from emerging in other components of the system architecture.