CVE-2026-56236
Deferred Deferred - Pending Action

Arbitrary File Overwrite via Symlink in Capgo CLI

Vulnerability report for CVE-2026-56236, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-21

Last updated on: 2026-06-22

Assigner: VulnCheck

Description

Capgo CLI before 12.128.2 contains arbitrary file overwrite vulnerabilities in login and build credentials operations that follow symlinks without validation. Attackers can create malicious symlinks in repositories to overwrite arbitrary files or expose credentials with world-readable permissions when developers run the CLI.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-21
Last Modified
2026-06-22
Generated
2026-07-11
AI Q&A
2026-06-21
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo_cli to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Capgo CLI allows arbitrary file overwrite and exposes credentials with world-readable permissions, which can lead to unauthorized access to sensitive information.

Such exposure and potential compromise of credentials and sensitive files could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive data.

Specifically, the insecure file permissions and lack of symlink validation increase the risk of data breaches, which are critical compliance concerns under these regulations.

Executive Summary

The vulnerability in Capgo CLI versions before 12.128.2 involves arbitrary file overwrite due to the CLI following symbolic links (symlinks) without proper validation during login and build credential operations.

Attackers can create malicious symlinks in repositories that cause the CLI to overwrite arbitrary files or expose sensitive credentials with insecure permissions when developers run the CLI.

This happens because the CLI does not check if the target files are symlinks before writing, and it also saves global build credentials with world-readable permissions instead of more secure ones.

Impact Analysis

This vulnerability can lead to several serious impacts including:

  • Overwriting critical system or application files, potentially causing sabotage or disruption.
  • Exposure of sensitive credentials and signing materials due to insecure file permissions, risking secret leakage.
  • Compromise of the developer environment, which can lead to further security breaches or unauthorized access.
Detection Guidance

Detection of this vulnerability involves checking for the presence of malicious symlinks in repositories that the Capgo CLI interacts with, as well as inspecting file permissions of credential files created by the CLI.

  • Search for symlinks in your project directories that could point to sensitive system files using commands like: find . -type l -ls
  • Check the permissions of credential files such as .capgo and .capgo-credentials.json to ensure they are not world-readable (should be 0600): ls -l .capgo*
  • Monitor file changes or overwrites in critical system files that could be targeted by symlink attacks using file integrity monitoring tools or commands like: sudo auditctl -w /path/to/critical/file -p wa
Mitigation Strategies

Immediate mitigation steps include upgrading the Capgo CLI to version 12.128.2 or later where the vulnerability is fixed.

Until an upgrade is possible, avoid running the Capgo CLI in untrusted repositories or environments where malicious symlinks could exist.

Manually verify and remove any suspicious symlinks in your repositories.

Ensure that credential files created by the CLI have strict permissions (0600) to prevent unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart