CVE-2026-56309
Deferred Deferred - Pending Action

Capgo R2 Storage Quota Bypass via Unrestricted File Upload

Vulnerability report for CVE-2026-56309, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary attachments using upload-scoped API keys that bypass plan checks, persist outside normal bundle metadata, and survive app deletion, enabling storage and bandwidth abuse.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56309 is a vulnerability in Capgo versions before 12.128.2 where the /files/upload/attachments endpoint does not properly enforce plan or quota restrictions.

This allows apps that should be blocked by their plan to still upload publicly readable attachments using upload-scoped API keys. These attachments are stored as R2 objects that are not tracked in the app's metadata, persist even after the app is deleted, and exist outside normal accounting or quota controls.

The root cause is insufficient enforcement of plan and quota checks during uploads and lack of cleanup for these orphaned attachments.

Impact Analysis

This vulnerability can lead to storage and bandwidth abuse because attackers can upload arbitrary attachments that are publicly readable and persist indefinitely.

Since these attachments bypass normal plan restrictions and are not cleaned up after app deletion, they can consume resources without limit, potentially increasing costs or degrading service performance.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or unusual uploads to the /files/upload/attachments endpoint using upload-scoped API keys that bypass plan checks.

You can look for publicly readable R2 objects that are not tracked in app metadata and persist even after app deletion, indicating potential exploitation.

Suggested commands might include inspecting logs for API calls to /files/upload/attachments and querying storage buckets for orphaned or unexpected objects.

  • Use network monitoring tools or log analysis to filter requests to the /files/upload/attachments endpoint.
  • Run commands to list publicly readable R2 objects, for example, using the R2 CLI or API to identify objects not linked to active apps.
  • Check for upload-scoped API key usage patterns that do not align with normal app behavior.
Mitigation Strategies

Immediate mitigation steps include enforcing plan and quota checks on the /files/upload/attachments endpoint to prevent unauthorized uploads.

Ensure that attachments are tracked in the database metadata and validate object ownership before serving any uploaded content.

Implement cleanup routines to remove orphaned attachments, especially those surviving app deletion.

  • Upgrade Capgo to version 12.128.2 or later where the vulnerability is fixed.
  • Restrict or audit the use of upload-scoped API keys to prevent abuse.
  • Monitor storage usage and bandwidth to detect abnormal increases that may indicate exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56309. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart