CVE-2026-56298
Deferred Deferred - Pending Action

Capgo Image Upload EXIF Metadata Exposure Vulnerability

Vulnerability report for CVE-2026-56298, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Capgo before 12.128.2 fails to strip EXIF metadata from images uploaded via the app information endpoint, exposing sensitive geolocation data. Attackers can upload images containing EXIF metadata to extract geographic location information and other embedded metadata from uploaded files.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade Capgo to version 12.128.2 or later, where the vulnerability has been fixed by properly stripping EXIF metadata from uploaded images.

Until the upgrade can be applied, consider implementing controls to block or sanitize image uploads containing EXIF metadata at the application or network level.

Additionally, review and restrict permissions to limit exposure of uploaded images containing sensitive metadata.

Executive Summary

This vulnerability exists in Capgo versions before 12.128.2 where the application fails to remove EXIF metadata from images uploaded via the app information endpoint.

EXIF metadata can contain sensitive information such as geolocation data embedded in the images.

Because the metadata is not stripped, attackers can upload images containing EXIF data and then extract geographic location and other embedded metadata from those uploaded files.

Impact Analysis

The vulnerability can lead to exposure of sensitive information, specifically geographic location data, which can compromise user privacy and security.

Attackers can exploit this by uploading images with embedded EXIF metadata and then accessing the uploaded images to extract this sensitive information.

This exposure could potentially be used for unauthorized tracking or profiling of users based on their location data.

Detection Guidance

This vulnerability can be detected by checking if images uploaded via the app information endpoint contain EXIF metadata, especially geolocation data, which should have been stripped by the application.

One approach is to monitor or intercept image uploads to the Capgo application and analyze the uploaded files for EXIF metadata using tools such as exiftool.

  • Use exiftool to inspect uploaded images for EXIF metadata: exiftool uploaded_image.jpg
  • Capture HTTP traffic to the app information endpoint and extract uploaded images for analysis.
  • Check the Capgo version running on your system; if it is before 12.128.2, it is vulnerable.
Compliance Impact

This vulnerability exposes sensitive geolocation data through unstripped EXIF metadata in uploaded images, which could lead to unauthorized disclosure of personal information.

Such exposure of sensitive personal data may impact compliance with data protection regulations like GDPR, which require protection of personal data and prevention of unauthorized access or disclosure.

Similarly, regulations like HIPAA that mandate safeguarding of sensitive information could be affected if the exposed metadata relates to protected health information or patient location data.

Therefore, failure to strip EXIF metadata could result in non-compliance with these standards due to potential unauthorized exposure of sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56298. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart