Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can retrieve build status and logs from other apps by providing an authorized appid while using a jobid from an unauthorized app, exposing sensitive build information including logs, metadata, and potentially credentials.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56229.json",
"cna_assigner": "VulnCheck",
"cwe_ids": [
"CWE-639"
]
}