Capgo before 12.128.2 contains a scope isolation...
Moderate severity
Unreviewed
Published
Jul 12, 2026
to the GitHub Advisory Database
•
Updated Jul 12, 2026
Description
Published by the National Vulnerability Database
Jul 12, 2026
Published to the GitHub Advisory Database
Jul 12, 2026
Last updated
Jul 12, 2026
Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks outside their declared app boundary, bypassing the limited_to_apps authorization check.
References