CVE-2026-56255
Deferred Deferred - Pending Action

Capgo Denial of Service via Unlimited Demo App Creation

Vulnerability report for CVE-2026-56255, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate approximately 138 database write operations per request, causing degraded performance, increased costs, and potential service instability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for excessive or repeated POST requests to the /app/demo endpoint from authenticated users with organization write permissions.

Since each request triggers approximately 138 database write operations, unusually high database write activity correlated with these requests can indicate exploitation.

Commands to detect this might include:

  • Using web server logs or network monitoring tools to filter POST requests to /app/demo, for example, with grep or similar tools:
  • grep 'POST /app/demo' /var/log/nginx/access.log
  • Monitoring database write operations or slow queries that spike in correlation with these requests.
  • Using application logs to identify repeated demo app creation attempts by the same user or IP.
Executive Summary

This vulnerability exists in Capgo versions before 12.128.2 and involves the POST /app/demo endpoint. Authenticated users who have organization write permissions can exploit this vulnerability by creating unlimited demo applications without any rate limiting or quota enforcement.

Each request to this endpoint can generate approximately 138 database write operations, which can be repeatedly invoked by attackers.

Impact Analysis

The vulnerability can lead to degraded performance of the affected system due to the high volume of database write operations triggered by each request.

It can also increase operational costs because of the excessive resource usage and may cause potential service instability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

Immediate mitigation steps include implementing rate limiting and quota enforcement on the POST /app/demo endpoint to prevent unlimited demo app creation.

Other recommended actions are:

  • Enforce plan-based quotas restricting the number of demo apps a user or organization can create.
  • Implement strict per-user and per-organization rate limiting controls.
  • Move demo data generation to asynchronous jobs with bounded work to reduce immediate resource consumption.
  • Restrict demo app creation to UI-only flows to prevent automated abuse via API calls.

Upgrading to Capgo version 12.128.2 or later, where this vulnerability is patched, is strongly advised.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56255. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart