Vendor
medium
advisory
CVE-2026-56250: Capgo R2 Bundle Object Deletion via Mutable r2_path
2 TTPs 1 CVE 2 IOCsA critical vulnerability, CVE-2026-56250, in Capgo before version 12.128.2 allows an authenticated attacker with upload-scoped API keys to manipulate the app_versions.r2_path field via PostgREST, leading to arbitrary R2 bundle object deletion and denial of service.
Capgo < 12.128.2
vulnerability
denial-of-service
cloud
web-application
2t
1c
2i
high
advisory
CVE-2026-56246 - Capgo Broken Access Control in Organization Management API
3 TTPs 1 CVECapgo versions prior to 12.128.2 contain a broken access control vulnerability (CVE-2026-56246) in their organization management API where a scoped API key inherits the full permissions of its owner-user, allowing an attacker to perform destructive operations against unauthorized organizations, bypassing intended scope and leading to privilege escalation and impact.
Capgo < 12.128.2
vulnerability
privilege-escalation
data-destruction
impact
cloud
3t
1c