CVE-2026-56236
Received Received - Intake
Arbitrary File Overwrite via Symlink in Capgo CLI

Publication date: 2026-06-21

Last updated on: 2026-06-21

Assigner: VulnCheck

Description
Capgo CLI before 12.128.2 contains arbitrary file overwrite vulnerabilities in login and build credentials operations that follow symlinks without validation. Attackers can create malicious symlinks in repositories to overwrite arbitrary files or expose credentials with world-readable permissions when developers run the CLI.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-21
Last Modified
2026-06-21
Generated
2026-06-21
AI Q&A
2026-06-21
EPSS Evaluated
N/A
NVD
CVE-2026-56236
EUVD
EUVD-2026-38165
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo_cli to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Capgo CLI versions before 12.128.2 involves arbitrary file overwrite due to the CLI following symbolic links (symlinks) without proper validation during login and build credential operations.

Attackers can create malicious symlinks in repositories that cause the CLI to overwrite arbitrary files or expose sensitive credentials with insecure permissions when developers run the CLI.

This happens because the CLI does not check if the target files are symlinks before writing, and it also saves global build credentials with world-readable permissions instead of more secure ones.

Detection Guidance

Detection of this vulnerability involves checking for the presence of malicious symlinks in repositories that the Capgo CLI interacts with, as well as inspecting file permissions of credential files created by the CLI.

  • Search for symlinks in your project directories that could point to sensitive system files using commands like: find . -type l -ls
  • Check the permissions of credential files such as .capgo and .capgo-credentials.json to ensure they are not world-readable (should be 0600): ls -l .capgo*
  • Monitor file changes or overwrites in critical system files that could be targeted by symlink attacks using file integrity monitoring tools or commands like: sudo auditctl -w /path/to/critical/file -p wa
Mitigation Strategies

Immediate mitigation steps include upgrading the Capgo CLI to version 12.128.2 or later where the vulnerability is fixed.

Until an upgrade is possible, avoid running the Capgo CLI in untrusted repositories or environments where malicious symlinks could exist.

Manually verify and remove any suspicious symlinks in your repositories.

Ensure that credential files created by the CLI have strict permissions (0600) to prevent unauthorized access.

Compliance Impact

The vulnerability in Capgo CLI allows arbitrary file overwrite and exposes credentials with world-readable permissions, which can lead to unauthorized access to sensitive information.

Such exposure and potential compromise of credentials and sensitive files could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive data.

Specifically, the insecure file permissions and lack of symlink validation increase the risk of data breaches, which are critical compliance concerns under these regulations.

Impact Analysis

This vulnerability can lead to several serious impacts including:

  • Overwriting critical system or application files, potentially causing sabotage or disruption.
  • Exposure of sensitive credentials and signing materials due to insecure file permissions, risking secret leakage.
  • Compromise of the developer environment, which can lead to further security breaches or unauthorized access.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart