CVE-2026-56316
published 2026-06-21CVE-2026-56316: Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to…
PriorityP433medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.24%
15.2th percentile
Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cap-go | capgo | < 12.128.2 | 12.128.2 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through
ghsa_unreviewed·2026-06-21
CVE-2026-56316 [MEDIUM] CWE-203 Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through
Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.
VulDB
Cap-go capgo up to 12.128.1 /build/upload information exposure (GHSA-9c2x-7h5x-37gm / EUVD-2026-38172)
vuldb·2026-06-21·CVSS 5.3
CVE-2026-56316 [MEDIUM] Cap-go capgo up to 12.128.1 /build/upload information exposure (GHSA-9c2x-7h5x-37gm / EUVD-2026-38172)
A vulnerability categorized as problematic has been discovered in Cap-go capgo up to 12.128.1. This issue affects some unknown processing of the file /build/upload. The manipulation results in information exposure through discrepancy.
This vulnerability was named CVE-2026-56316. The attack may be performed from remote. There is no available exploit.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-21
Published