PT-2026-56429 · Cap Go+1 · Cap-Go+1

Judel777

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-56250

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2
Description An improper authorization and input validation flaw exists in the PostgREST API, allowing users with upload-scoped API keys to modify the mutable r2 path field within app versions. This enables an attacker to retarget bundle references to arbitrary R2 objects. By patching the r2 path to point to a victim object and subsequently soft-deleting the attacker-controlled version, the on version update cleanup function can be triggered to delete the victim R2 object, resulting in denial of service and disruption of bundle availability.
Recommendations Update to version 12.128.2.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56250

Affected Products

Cap-Go
Postgres