CVE-2026-56281
Received Received - Intake

SQL Injection in Capgo Analytics Platform

Vulnerability report for CVE-2026-56281, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains a sql injection vulnerability in the POST /private/admin_stats endpoint where the limit parameter is destructured from unvalidated request body and interpolated directly into Cloudflare Analytics Engine SQL queries via template literals. An attacker with platform admin credentials can inject SQL fragments to enumerate dataset schemas, extract analytics data, or cause denial-of-service against the analytics backend.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

If exploited by an attacker with platform admin credentials, this vulnerability can lead to unauthorized enumeration of database schemas, extraction of sensitive analytics data, and denial-of-service attacks against the analytics backend.

The impact includes potential exposure of sensitive information and disruption of analytics services, which could affect the availability and confidentiality of data.

Executive Summary

CVE-2026-56281 is a SQL injection vulnerability in the Capgo application affecting versions before 12.128.2. It occurs in the POST /private/admin_stats endpoint where the 'limit' parameter is taken from an unvalidated request body and directly inserted into SQL queries via JavaScript template literals.

Although other parameters are validated by a Zod schema, 'limit' and 'offset' are not validated properly, allowing an attacker with platform admin credentials to inject malicious SQL fragments.

This vulnerability can be exploited to enumerate database schemas, extract analytics data, or cause denial-of-service attacks against the analytics backend.

Detection Guidance

Detection of this vulnerability involves monitoring requests to the POST /private/admin_stats endpoint for suspicious or malformed 'limit' parameter values that could indicate SQL injection attempts.

Since the vulnerability requires platform admin credentials and exploits the 'limit' parameter in the request body, inspecting logs for unusual or unexpected SQL fragments in this parameter can help identify exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include:

  • Using web application firewall (WAF) logs or intrusion detection system (IDS) alerts to flag suspicious POST requests to /private/admin_stats.
  • Searching server logs for POST requests containing unusual characters or SQL keywords in the 'limit' parameter.
  • Employing tools like grep or similar to scan access logs, for example: grep -i 'POST /private/admin_stats' /var/log/nginx/access.log | grep -E 'limit=.*(union|select|--|;)'
Mitigation Strategies

The primary mitigation is to upgrade Capgo to version 12.128.2 or later, where the vulnerability is fixed by adding proper validation for the 'limit' and 'offset' parameters in the Zod schema and ensuring these values are destructured from validated data.

Until the upgrade can be applied, restrict platform admin access to trusted users only, as exploitation requires high privileges.

Additionally, monitor and block suspicious requests to the /private/admin_stats endpoint, and consider implementing input validation or WAF rules to detect and prevent SQL injection attempts targeting the 'limit' parameter.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart