CVE-2026-56217
Deferred Deferred - Pending Action

Capgo Policy Bypass via App-Scoped API Key Abuse

Vulnerability report for CVE-2026-56217, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains a policy bypass vulnerability in app_versions update enforcement that allows app-scoped API keys to downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly update the app_versions table via PostgREST to clear session_key and key_id fields, bypassing organization-enforced encrypted-bundle policies and weakening OTA security controls.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers with app-scoped API keys to bypass enforced encrypted bundle policies by downgrading encrypted bundles to a non-encrypted state. This weakens over-the-air (OTA) security controls and results in loss of integrity of bundle protection metadata.

Such weakening of encryption and security controls could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and enforcement of strong security measures to ensure data confidentiality and integrity.

However, the provided information does not explicitly mention specific compliance impacts or regulatory violations.

Executive Summary

CVE-2026-56217 is a policy bypass vulnerability in Capgo versions before 12.128.2 that affects the enforcement of encrypted bundle policies. Attackers who have app-scoped API keys can exploit this by directly updating the app_versions table via PostgREST, clearing the session_key and key_id fields. This action downgrades encrypted bundles to a non-encrypted state, bypassing organization-enforced security policies.

The root cause is that the database enforces encryption only on INSERT operations through an insert-only trigger, but does not enforce the same checks on UPDATE operations. This allows attackers to modify existing entries to remove encryption after the bundle has been inserted.

Impact Analysis

This vulnerability can weaken over-the-air (OTA) security controls by allowing attackers to downgrade encrypted bundles to a non-encrypted state. This results in a loss of integrity of bundle protection metadata and potentially compromises the security guarantees of downstream delivery and runtime environments.

Attackers with app-scoped API keys can bypass organization-enforced encrypted-bundle policies, which may lead to unauthorized access or manipulation of sensitive data transmitted via these bundles.

Detection Guidance

This vulnerability involves unauthorized updates to the app_versions table via PostgREST that clear the session_key and key_id fields, downgrading encrypted bundles to a non-encrypted state.

To detect this vulnerability on your system, you should monitor for unexpected or unauthorized updates to the app_versions table, specifically looking for changes where session_key and key_id fields are cleared or set to null.

Commands to help detect this could include querying the database for recent updates to app_versions where these fields are empty or null, for example:

  • SELECT * FROM public.app_versions WHERE session_key IS NULL OR key_id IS NULL ORDER BY updated_at DESC;
  • Review PostgREST API logs for PATCH or UPDATE requests to the app_versions endpoint that modify session_key or key_id fields.
  • Set up database auditing or triggers to log or alert on UPDATE operations to session_key and key_id fields in app_versions.
Mitigation Strategies

Immediate mitigation steps include restricting direct update access to the app_versions table via PostgREST, especially for app-scoped API keys.

Implement or enforce update-time triggers on the app_versions table that maintain the encrypted-bundle invariant, ensuring session_key and key_id cannot be cleared or altered improperly on UPDATE operations.

Consider routing all updates to security-sensitive fields like session_key and key_id through a validated backend path rather than allowing direct PostgREST mutations.

Upgrade Capgo to version 12.128.2 or later, where this vulnerability has been addressed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56217. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart