Capgo - Authorization Bypass in API Key Management via App-Limited Keys
Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers (get/put/delete/post). API keys created with mode=all but restricted to a single app via limited_to_apps are only checked for limited_to_orgs and not for limited_to_apps, so an app-scoped key can enumerate, update, and delete sibling API keys belonging to the same account that are outside its declared app scope, enabling tampering with account-level credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing authorization check for limited_to_apps in API key management handlers allows app-scoped keys to tamper with sibling account keys outside their scope."
Attack vector
An attacker who possesses an API key created with `mode=all` but restricted to a single app via `limited_to_apps` can send authenticated requests to the `/apikey` endpoints. The handlers only check for `limited_to_orgs` and do not enforce the `limited_to_apps` boundary, so the attacker can list, modify, or delete any sibling API key belonging to the same account, including unrestricted account-level keys [ref_id=1]. This is an authorization bypass (improper enforcement of access restrictions).
Affected code
The vulnerability resides in the public API key management handlers: `supabase/functions/_backend/public/apikey/get.ts`, `put.ts`, `delete.ts`, and `post.ts`. The handlers accept `middlewareV2(['all'])` and reject keys with `limited_to_orgs` but fail to reject keys with `limited_to_apps`, allowing an app-scoped key to enumerate, update, and delete sibling API keys outside its declared app scope [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the fix would require the API key management handlers to reject requests where the authenticating key has `limited_to_apps` set and the target operation involves a key outside that app scope. Currently the handlers only reject keys with `limited_to_orgs`, leaving the `limited_to_apps` boundary unenforced for read, update, and delete operations on sibling keys [ref_id=1].
Preconditions
- authAttacker must possess a valid API key with mode=all that is restricted to a single app via limited_to_apps
- inputThe target sibling API keys must belong to the same account (same user)
- networkNetwork access to the Capgo API endpoint (https://api.capgo.app)
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/Cap-go/capgo/security/advisories/GHSA-hwc7-j2p6-43xpmitrevendor-advisory
- www.vulncheck.com/advisories/capgo-authorization-bypass-in-api-key-management-via-app-limited-keysmitrethird-party-advisory
News mentions
0No linked articles in our index yet.