CVE-2026-56307
Received Received - Intake
Broken Cursor Pagination in Cap-go Cloudflare/workerd

Publication date: 2026-06-20

Last updated on: 2026-06-20

Assigner: VulnCheck

Description
Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loops, prevent dataset traversal, and cause repeated processing in device-management workflows.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-20
Last Modified
2026-06-20
Generated
2026-06-20
AI Q&A
2026-06-20
EPSS Evaluated
N/A
NVD
CVE-2026-56307
EUVD
EUVD-2026-38124
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cap-go capgo to 12.128.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56307 is a broken cursor pagination vulnerability in the /private/devices endpoint of the Cap-go platform running on the Cloudflare/workerd runtime path. The issue causes the pagination cursor to fail to advance properly, resulting in the same device being repeatedly returned with a hasMore=true flag. This creates an infinite loop that prevents access to later rows in the dataset, even though those rows exist.

Authenticated users with app.read_devices access can exploit this flaw to trigger duplicate page loops, making some data unreachable and causing repeated processing in device-management workflows. The root cause is related to the Cloudflare-specific implementation of cursor filtering and ordering logic in the readDevicesCF() function.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can impact you by causing infinite pagination loops when accessing device data, which prevents traversal of the full dataset. As a result, some device records become unreachable and cannot be processed or managed properly.

It can lead to repeated processing of the same data pages, potentially causing inefficiencies or errors in device-management workflows. Although it does not allow unauthorized access or data exposure across tenants, it affects the integrity and availability of device enumeration.

Detection Guidance

This vulnerability can be detected by observing the behavior of the /private/devices endpoint when accessed by an authenticated user with app.read_devices permissions. Specifically, if pagination requests repeatedly return the same device data with the same cursor and the hasMore=true flag, causing an infinite loop and preventing access to later rows, this indicates the presence of the broken cursor pagination issue.

To detect this on your system, you can perform authenticated API calls to the /private/devices endpoint and monitor the pagination cursor values and returned data. If the cursor does not advance and the same data is returned repeatedly, the vulnerability is present.

Example commands might include using curl or similar tools to paginate through the devices endpoint while logging cursor values and responses, for example:

  • curl -H "Authorization: Bearer <token>" "https://<your-capgo-instance>/private/devices?cursor=<cursor_value>"
  • Check if the cursor value in the response remains the same across requests and if hasMore=true persists without advancing.
Mitigation Strategies

The immediate mitigation step is to upgrade the Cap-go package to version 12.128.12 or later, where this broken cursor pagination vulnerability has been patched.

Until the upgrade can be applied, restrict or monitor access to the /private/devices endpoint, especially for users with app.read_devices permissions, to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56307. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart