CVE-2026-56280: Missing Authorization in Cap-go capgo
Cap-go versions before 12.128.2 have a privilege inversion vulnerability in the GET /build/logs/:jobId endpoint. This flaw allows users with read-only API keys to cancel running native builds by exploiting an abort listener that calls a privileged cancel function without proper authorization checks. This bypasses the intended permission controls of the POST /build/cancel/:jobId endpoint, enabling disruption of native build and CI/CD workflows.
AI Analysis
Technical Summary
The vulnerability in Cap-go prior to version 12.128.2 involves the GET /build/logs/:jobId endpoint registering an abort listener on the server-sent events (SSE) stream. When a client disconnects, this listener unconditionally invokes cancelBuildOnDisconnect() using the privileged BUILDER_API_KEY, bypassing the app.build_native permission check required by the explicit POST /build/cancel/:jobId endpoint. As a result, attackers holding read-only API keys can cancel running native builds, causing repeated disruption to build operations.
Potential Impact
Attackers with read-only API keys can cancel running native builds, which can disrupt continuous integration and deployment workflows. This privilege inversion allows unauthorized cancellation of builds, potentially causing denial of service to legitimate build processes and impacting development pipelines.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict the issuance of read-only API keys to trusted users and monitor usage patterns for unusual disconnections from the GET /build/logs/:jobId endpoint that may indicate exploitation attempts.
CVE-2026-56280: Missing Authorization in Cap-go capgo
Description
Cap-go versions before 12.128.2 have a privilege inversion vulnerability in the GET /build/logs/:jobId endpoint. This flaw allows users with read-only API keys to cancel running native builds by exploiting an abort listener that calls a privileged cancel function without proper authorization checks. This bypasses the intended permission controls of the POST /build/cancel/:jobId endpoint, enabling disruption of native build and CI/CD workflows.
CVSS v4.0
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Cap-go prior to version 12.128.2 involves the GET /build/logs/:jobId endpoint registering an abort listener on the server-sent events (SSE) stream. When a client disconnects, this listener unconditionally invokes cancelBuildOnDisconnect() using the privileged BUILDER_API_KEY, bypassing the app.build_native permission check required by the explicit POST /build/cancel/:jobId endpoint. As a result, attackers holding read-only API keys can cancel running native builds, causing repeated disruption to build operations.
Potential Impact
Attackers with read-only API keys can cancel running native builds, which can disrupt continuous integration and deployment workflows. This privilege inversion allows unauthorized cancellation of builds, potentially causing denial of service to legitimate build processes and impacting development pipelines.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict the issuance of read-only API keys to trusted users and monitor usage patterns for unusual disconnections from the GET /build/logs/:jobId endpoint that may indicate exploitation attempts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-20T01:51:24.919Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a39b29aeed863c81e7e85f2
Added to database: 06/22/2026, 22:09:30 UTC
Last enriched: 06/22/2026, 22:24:07 UTC
Last updated: 06/22/2026, 23:13:55 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.