CVE-2026-56221
Deferred Deferred - Pending Action

SQL Injection in Cap-go Cloudflare Integration

Vulnerability report for CVE-2026-56221, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: VulnCheck

Description

Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can inject arbitrary SQL through deviceIds, search, version_name, cursor, and actions parameters to access analytics data belonging to other users or applications.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cap-go cap-go 12.128.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users with read-level API key permissions to inject arbitrary SQL commands and access analytics data belonging to other users or applications. Such unauthorized access and potential data exfiltration can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive data access and confidentiality.

By enabling cross-tenant data access and information disclosure, the vulnerability undermines data isolation and confidentiality requirements, increasing the risk of non-compliance with standards that require protection of user data against unauthorized access.

Executive Summary

This vulnerability exists in Cap-go versions before 12.128.2 and involves multiple SQL injection flaws in the cloudflare.ts component. Specifically, user-controlled values from API request bodies are directly inserted into SQL query strings without proper sanitization or parameterization.

Authenticated users with read-level API key permissions can exploit this by injecting arbitrary SQL through parameters such as deviceIds, search, version_name, cursor, and actions.

This allows them to access analytics data that belongs to other users or applications, which they should not normally be able to see.

Impact Analysis

The vulnerability can lead to unauthorized access to sensitive analytics data belonging to other users or applications.

Since attackers can inject arbitrary SQL, they might retrieve confidential information, potentially leading to data breaches.

This could compromise privacy and trust, and may also expose the affected system to further attacks if exploited.

Detection Guidance

This vulnerability can be detected by monitoring API requests to the Cap-go service, specifically looking for suspicious or malformed SQL payloads in parameters such as deviceIds, search, version_name, cursor, and actions.

Detection can involve inspecting logs for unusual SQL syntax or unexpected data access patterns originating from authenticated users with read-level API key permissions.

While no explicit commands are provided in the resources, typical detection commands might include using network traffic analysis tools like tcpdump or Wireshark to capture API request bodies, or querying application logs for suspicious parameter values.

  • Use grep or similar tools to search logs for SQL keywords or suspicious characters in the affected parameters, e.g., grep -E "deviceIds|search|version_name|cursor|actions" /path/to/logs | grep -E "(SELECT|UNION|--|;|')"
  • Monitor API request payloads for unexpected SQL syntax or injection patterns.
Mitigation Strategies

Immediate mitigation steps include upgrading Cap-go to version 12.128.2 or later, where the vulnerability has been fixed by sanitizing SQL inputs and applying strict input validation.

If upgrading is not immediately possible, restrict or revoke read-level API key permissions to limit the ability of authenticated users to exploit the SQL injection.

Additionally, implement network-level controls to monitor and block suspicious API requests containing SQL injection patterns.

The fix involves using a sanitizeSqlString() utility and applying regex-based input validation to all user-controlled values before they are interpolated into SQL queries.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56221. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart