Is CVE-2026-56306 being exploited?

No public exploit is currently tracked.

How severe is CVE-2026-56306?

CVE-2026-56306 has a CVSS v3 severity of MEDIUM (6.4).

Back

CVE-2026-56306

Description

Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header to disable limited key scoping and execute requests using the main API key context instead of restricted subkey permissions.