CVE-2026-56250
Deferred Deferred - Pending Action

Capgo Path Traversal via PostgREST API Key

Vulnerability report for CVE-2026-56250, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Capgo before 12.128.2 allows upload-scoped API keys to modify the mutable app_versions.r2_path field through PostgREST, enabling retargeting to arbitrary R2 bundle objects. Attackers can patch r2_path to point to victim objects, soft-delete the attacker-controlled version, and trigger the on_version_update cleanup function to delete the victim R2 object, causing denial of service and bundle availability disruption.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-56250 is a high-severity vulnerability in Capgo versions before 12.128.2 that allows attackers with upload-scoped API keys to modify the mutable app_versions.r2_path field through PostgREST.

This modification enables attackers to redirect the r2_path to arbitrary R2 bundle objects owned by victims. By soft-deleting their own attacker-controlled version, they trigger a cleanup function (on_version_update) that deletes the victim's R2 object.

The root cause is a missing authorization check that allows the mutable r2_path field to be changed after initial setting, which should not be allowed. This leads to unauthorized deletion of R2 objects, causing denial of service and disruption of bundle availability.

Impact Analysis

This vulnerability can lead to denial of service by allowing attackers to delete R2 bundle objects that are critical for application functionality.

It disrupts the availability of bundles, potentially breaking over-the-air (OTA) updates or causing loss of important bundle artifacts.

Because attackers can delete victim objects without proper authorization, this can result in significant operational impact and data loss related to app versions.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized modifications to the mutable app_versions.r2_path field via PostgREST API calls using upload-scoped API keys.

Specifically, commands or queries should focus on identifying changes to the r2_path field that do not align with expected upload-link flows or that retarget to unexpected R2 bundle objects.

Since the vulnerability exploits the ability to modify r2_path through PostgREST, inspecting API request logs for PATCH or UPDATE operations on app_versions.r2_path by upload-scoped API keys can help detect exploitation attempts.

Additionally, database queries to audit recent changes to the app_versions table's r2_path field, especially those followed by soft-deletion of the attacker-controlled version, can indicate exploitation.

Mitigation Strategies

The primary immediate mitigation is to upgrade Capgo to version 12.128.2 or later, where the vulnerability has been patched.

  • Apply the patch that makes the r2_path field immutable after initial setting to prevent unauthorized modifications.
  • Implement validation during the cleanup process to ensure that the r2_path belongs to the correct app and version before deletion.
  • Consider re-deriving the expected r2_path during deletion instead of relying on the mutable field.

In the short term, restrict or monitor upload-scoped API keys to limit their ability to modify sensitive fields until the patch can be applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart