<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Capgo &lt; 12.128.2 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/capgo--12.128.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 14:22:30 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/capgo--12.128.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-56250: Capgo R2 Bundle Object Deletion via Mutable r2_path</title><link>https://feed.craftedsignal.io/briefs/2026-07-capgo-r2-path-dos/</link><pubDate>Wed, 08 Jul 2026 14:22:30 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-capgo-r2-path-dos/</guid><description>A critical vulnerability, CVE-2026-56250, in Capgo before version 12.128.2 allows an authenticated attacker with upload-scoped API keys to manipulate the app_versions.r2_path field via PostgREST, leading to arbitrary R2 bundle object deletion and denial of service.</description><content:encoded><![CDATA[<p>Capgo, an open-source tool for managing Capacitor applications, is affected by CVE-2026-56250, a high-severity vulnerability present in versions prior to 12.128.2. This flaw enables an attacker possessing an upload-scoped API key to modify the <code>app_versions.r2_path</code> field through the PostgREST interface. By exploiting this, the attacker can redirect the path of an application version they control to point to arbitrary R2 bundle objects belonging to a victim. Subsequently, by initiating a &quot;soft-delete&quot; operation on their modified version, the attacker can trigger an internal <code>on_version_update</code> cleanup function that then inadvertently deletes the victim's targeted R2 object. This results in a denial of service and significant disruption to bundle availability for applications managed by the vulnerable Capgo instance, severely impacting operational integrity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker obtains a valid upload-scoped API key for a Capgo instance, which provides legitimate access to interact with application versions.</li>
<li>Attacker identifies a target application version within Capgo that they control and a victim's critical R2 bundle object they wish to delete.</li>
<li>Attacker uses the upload-scoped API key to make a PATCH request via PostgREST, targeting the <code>app_versions.r2_path</code> field of their controlled application version.</li>
<li>The <code>r2_path</code> field is modified to point from the attacker's own R2 bundle object to the specific victim R2 bundle object, effectively retargeting it.</li>
<li>Attacker initiates an action (e.g., publishing a new version that makes the previous one obsolete) that leads to a &quot;soft-delete&quot; of their now-maliciously-configured application version.</li>
<li>Capgo's backend executes the <code>on_version_update</code> cleanup function, which follows the attacker-modified <code>r2_path</code>.</li>
<li>The cleanup function then erroneously attempts to &quot;clean up&quot; the R2 object at the retargeted path, resulting in the deletion of the victim's legitimate R2 bundle object.</li>
<li>Victim's applications that rely on the deleted R2 bundle object experience service disruption and denial of service due to unavailability of necessary resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The observed impact of CVE-2026-56250 exploitation is a direct denial of service (DoS) affecting applications and services managed by Capgo deployments. Attackers can leverage this vulnerability to arbitrarily delete crucial R2 bundle objects, rendering legitimate applications inoperable or unavailable. This can lead to severe operational disruptions, loss of data integrity (due to missing bundles), and potential financial and reputational damage for affected organizations. The vulnerability specifically targets the availability of application bundles, which are fundamental to the functionality of Capgo-managed applications, affecting any organization using vulnerable Capgo versions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update Capgo to version 12.128.2 or newer to remediate CVE-2026-56250.</li>
<li>Review and enforce strict access control policies for all Capgo API keys, ensuring that upload-scoped keys lack permissions to modify sensitive configuration paths like <code>app_versions.r2_path</code>.</li>
<li>Monitor Capgo application logs and PostgREST access logs for any unauthorized or unusual PATCH requests to the <code>app_versions.r2_path</code> field or unexpected deletion events in R2 storage.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>vulnerability</category><category>denial-of-service</category><category>cloud</category><category>web-application</category></item><item><title>CVE-2026-56246 - Capgo Broken Access Control in Organization Management API</title><link>https://feed.craftedsignal.io/briefs/2026-07-capgo-broken-access-control/</link><pubDate>Wed, 08 Jul 2026 14:21:38 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-capgo-broken-access-control/</guid><description>Capgo versions prior to 12.128.2 contain a broken access control vulnerability (CVE-2026-56246) in their organization management API where a scoped API key inherits the full permissions of its owner-user, allowing an attacker to perform destructive operations against unauthorized organizations, bypassing intended scope and leading to privilege escalation and impact.</description><content:encoded><![CDATA[<p>A critical broken access control vulnerability (CVE-2026-56246) has been identified in Capgo versions prior to 12.128.2. This flaw exists within the organization management API, specifically concerning how scoped API keys (configured with <code>limited_to_orgs</code>) handle permissions. An attacker who gains access to an API key owned by a user who is an administrator in multiple organizations can leverage this vulnerability. The key, despite being explicitly restricted to a single organization, improperly inherits the full administrative privileges of its owner across all organizations where the owner is an admin. This bypasses the intended scope of the API key, enabling the attacker to perform unauthorized and destructive cross-organization actions, such as deleting entire organizations or removing members using endpoints like <code>DELETE /organization</code> and <code>DELETE /organization/members</code>. The root cause lies in the application's <code>rbac_check_permission_direct</code> logic, which evaluates the owner's global user privileges before enforcing the <code>limited_to_orgs</code> restriction. This allows for privilege escalation and significant unauthorized impact.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains a Capgo API key belonging to a user who holds administrative privileges across multiple Capgo organizations.</li>
<li>The attacker configures or identifies an API key intended to have its operations explicitly restricted to a single, designated organization using the <code>limited_to_orgs</code> scope.</li>
<li>The attacker crafts an API request to perform a destructive action, such as <code>DELETE /organization</code> or <code>DELETE /organization/members</code>, targeting a <em>different</em> organization for which the API key is <em>not</em> explicitly authorized.</li>
<li>The Capgo application processes the API request, initiating an authorization check that includes a call to <code>rbac_check_permission_direct</code>.</li>
<li>During this authorization process, the system incorrectly evaluates the full administrative permissions of the API key's owner-user across all their assigned organizations.</li>
<li>The system fails to enforce the <code>limited_to_orgs</code> scope, neglecting the explicit restriction defined for the API key itself due to the flawed <code>rbac_check_permission_direct</code> logic.</li>
<li>The destructive API call (e.g., unauthorized organization deletion, member removal) is successfully executed against the unintended target organization, leading to unauthorized data destruction or disruption.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-56246 can lead to severe consequences, including unauthorized data destruction, service disruption, and privilege escalation. An attacker can leverage an improperly scoped API key to delete entire Capgo organizations or remove critical members from them, even if the key was explicitly meant for a different scope. This can cause significant operational downtime, loss of data, and potentially compromise the integrity of multiple organizational structures within Capgo, affecting all users and data associated with the targeted organizations. The broad impact stems from the ability to affect multiple, supposedly isolated, organizations via a single compromised key.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch Capgo instances immediately to version 12.128.2 or later to address CVE-2026-56246.</li>
<li>Review and re-evaluate all existing Capgo API keys, especially those with <code>limited_to_orgs</code> scope, to ensure they adhere to the principle of least privilege and their permissions are correctly enforced post-patch.</li>
<li>Implement strict logging and monitoring for Capgo API key usage, specifically for destructive operations like <code>DELETE /organization</code> or <code>DELETE /organization/members</code>, to detect anomalous activity related to CVE-2026-56246.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>privilege-escalation</category><category>data-destruction</category><category>impact</category><category>cloud</category></item></channel></rss>