CVE-2026-56220
Deferred Deferred - Pending Action

Authorization Bypass in Capgo OTA Manifest

Vulnerability report for CVE-2026-56220, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3_path values that are served to devices via the unauthenticated /updates endpoint, enabling OTA metadata poisoning and potential malicious asset delivery.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized insertion of malicious OTA manifest entries by read-only organization members, leading to potential OTA metadata poisoning and delivery of malicious assets to devices.

Such unauthorized modifications and potential malicious asset delivery could compromise the integrity and security of device updates, which may impact compliance with standards and regulations that require strict access controls, data integrity, and protection against unauthorized changes.

However, the provided information does not explicitly mention the direct impact on specific compliance frameworks like GDPR or HIPAA.

Executive Summary

CVE-2026-56220 is an authorization bypass vulnerability in Capgo versions before 12.128.2. It allows read-only organization members, who normally should not have write permissions, to insert unauthorized rows into the public.manifest table. These inserted rows contain manipulated s3_path values that are later served to devices through an unauthenticated /updates endpoint.

The root cause is an overly permissive Row-Level Security (RLS) policy that only verifies org membership instead of checking for explicit upload or write permissions. This flaw enables attackers to inject malicious manifest entries, leading to OTA metadata poisoning and potentially delivering malicious assets to devices.

Impact Analysis

This vulnerability can impact you by allowing attackers with only read-only access to inject malicious OTA manifest entries that devices trust and use for updates.

  • Attackers can poison OTA update metadata, compromising the integrity of device updates.
  • Devices may be redirected to download malicious assets or JavaScript files if attackers control the referenced s3_path content.
  • Unauthorized modifications to device-facing update manifests can lead to potential security breaches or device compromise.
Detection Guidance

Detection of this vulnerability involves checking for unauthorized insertions into the public.manifest table by read-only organization members. Monitoring database logs for INSERT operations on the public.manifest table originating from users with read-only privileges can help identify exploitation attempts.

Additionally, inspecting the s3_path values in the manifest entries for suspicious or arbitrary URLs that do not conform to expected prefixes can indicate malicious injections.

Suggested commands include querying the database for recent inserts by read-only users and examining the s3_path fields:

  • SQL query to find recent inserts by read-only users: SELECT * FROM public.manifest WHERE inserted_by_role = 'read-only' AND insert_timestamp > NOW() - INTERVAL '1 day';
  • SQL query to detect suspicious s3_path values: SELECT * FROM public.manifest WHERE s3_path NOT LIKE 'expected_prefix%';

Network monitoring can also focus on requests to the unauthenticated /updates endpoint to detect unusual or unexpected manifest data being served.

Mitigation Strategies

Immediate mitigation steps include tightening the Row-Level Security (RLS) policies on the public.manifest table to restrict INSERT and DELETE operations only to users with explicit upload or write permissions.

Implement validation checks on the s3_path field to ensure only allowed prefixes or paths are accepted, preventing arbitrary or malicious URLs from being inserted.

Review and enforce strict RLS policies across all write paths to prevent privilege bypass by read-only organization members.

Applying the patch or upgrading to Capgo version 12.128.2 or later, where this vulnerability is fixed, is strongly recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56220. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart