CVE-2026-56307

Name of the Vulnerable Software and Affected Versions Cap-go versions prior to 12.128.12

Description An issue exists in the '/private/devices' endpoint on the Cloudflare/workerd path involving broken cursor pagination. Authenticated attackers with app.read devices access can exploit non-advancing cursor filters to trigger infinite pagination loops. This prevents the traversal of datasets, makes later rows unreachable, and causes repeated processing within device-management workflows.

Recommendations Update to version 12.128.12 or later.