PT-2026-56429 · Cap Go+1 · Cap-Go+1
Judel777
·
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-56250
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Capgo versions prior to 12.128.2
Description
An improper authorization and input validation flaw exists in the PostgREST API, allowing users with upload-scoped API keys to modify the mutable
r2 path field within app versions. This enables an attacker to retarget bundle references to arbitrary R2 objects. By patching the r2 path to point to a victim object and subsequently soft-deleting the attacker-controlled version, the on version update cleanup function can be triggered to delete the victim R2 object, resulting in denial of service and disruption of bundle availability.Recommendations
Update to version 12.128.2.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cap-Go
Postgres