{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/capgo/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-56250"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Capgo \u003c 12.128.2"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","denial-of-service","cloud","web-application"],"_cs_type":"advisory","_cs_vendors":["Capgo"],"content_html":"\u003cp\u003eCapgo, an open-source tool for managing Capacitor applications, is affected by CVE-2026-56250, a high-severity vulnerability present in versions prior to 12.128.2. This flaw enables an attacker possessing an upload-scoped API key to modify the \u003ccode\u003eapp_versions.r2_path\u003c/code\u003e field through the PostgREST interface. By exploiting this, the attacker can redirect the path of an application version they control to point to arbitrary R2 bundle objects belonging to a victim. Subsequently, by initiating a \u0026quot;soft-delete\u0026quot; operation on their modified version, the attacker can trigger an internal \u003ccode\u003eon_version_update\u003c/code\u003e cleanup function that then inadvertently deletes the victim's targeted R2 object. This results in a denial of service and significant disruption to bundle availability for applications managed by the vulnerable Capgo instance, severely impacting operational integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid upload-scoped API key for a Capgo instance, which provides legitimate access to interact with application versions.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a target application version within Capgo that they control and a victim's critical R2 bundle object they wish to delete.\u003c/li\u003e\n\u003cli\u003eAttacker uses the upload-scoped API key to make a PATCH request via PostgREST, targeting the \u003ccode\u003eapp_versions.r2_path\u003c/code\u003e field of their controlled application version.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003er2_path\u003c/code\u003e field is modified to point from the attacker's own R2 bundle object to the specific victim R2 bundle object, effectively retargeting it.\u003c/li\u003e\n\u003cli\u003eAttacker initiates an action (e.g., publishing a new version that makes the previous one obsolete) that leads to a \u0026quot;soft-delete\u0026quot; of their now-maliciously-configured application version.\u003c/li\u003e\n\u003cli\u003eCapgo's backend executes the \u003ccode\u003eon_version_update\u003c/code\u003e cleanup function, which follows the attacker-modified \u003ccode\u003er2_path\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe cleanup function then erroneously attempts to \u0026quot;clean up\u0026quot; the R2 object at the retargeted path, resulting in the deletion of the victim's legitimate R2 bundle object.\u003c/li\u003e\n\u003cli\u003eVictim's applications that rely on the deleted R2 bundle object experience service disruption and denial of service due to unavailability of necessary resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed impact of CVE-2026-56250 exploitation is a direct denial of service (DoS) affecting applications and services managed by Capgo deployments. Attackers can leverage this vulnerability to arbitrarily delete crucial R2 bundle objects, rendering legitimate applications inoperable or unavailable. This can lead to severe operational disruptions, loss of data integrity (due to missing bundles), and potential financial and reputational damage for affected organizations. The vulnerability specifically targets the availability of application bundles, which are fundamental to the functionality of Capgo-managed applications, affecting any organization using vulnerable Capgo versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update Capgo to version 12.128.2 or newer to remediate CVE-2026-56250.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict access control policies for all Capgo API keys, ensuring that upload-scoped keys lack permissions to modify sensitive configuration paths like \u003ccode\u003eapp_versions.r2_path\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Capgo application logs and PostgREST access logs for any unauthorized or unusual PATCH requests to the \u003ccode\u003eapp_versions.r2_path\u003c/code\u003e field or unexpected deletion events in R2 storage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T14:22:30Z","date_published":"2026-07-08T14:22:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-capgo-r2-path-dos/","summary":"A critical vulnerability, CVE-2026-56250, in Capgo before version 12.128.2 allows an authenticated attacker with upload-scoped API keys to manipulate the app_versions.r2_path field via PostgREST, leading to arbitrary R2 bundle object deletion and denial of service.","title":"CVE-2026-56250: Capgo R2 Bundle Object Deletion via Mutable r2_path","url":"https://feed.craftedsignal.io/briefs/2026-07-capgo-r2-path-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-56246"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Capgo \u003c 12.128.2"],"_cs_severities":["high"],"_cs_tags":["vulnerability","privilege-escalation","data-destruction","impact","cloud"],"_cs_type":"advisory","_cs_vendors":["Capgo"],"content_html":"\u003cp\u003eA critical broken access control vulnerability (CVE-2026-56246) has been identified in Capgo versions prior to 12.128.2. This flaw exists within the organization management API, specifically concerning how scoped API keys (configured with \u003ccode\u003elimited_to_orgs\u003c/code\u003e) handle permissions. An attacker who gains access to an API key owned by a user who is an administrator in multiple organizations can leverage this vulnerability. The key, despite being explicitly restricted to a single organization, improperly inherits the full administrative privileges of its owner across all organizations where the owner is an admin. This bypasses the intended scope of the API key, enabling the attacker to perform unauthorized and destructive cross-organization actions, such as deleting entire organizations or removing members using endpoints like \u003ccode\u003eDELETE /organization\u003c/code\u003e and \u003ccode\u003eDELETE /organization/members\u003c/code\u003e. The root cause lies in the application's \u003ccode\u003erbac_check_permission_direct\u003c/code\u003e logic, which evaluates the owner's global user privileges before enforcing the \u003ccode\u003elimited_to_orgs\u003c/code\u003e restriction. This allows for privilege escalation and significant unauthorized impact.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains a Capgo API key belonging to a user who holds administrative privileges across multiple Capgo organizations.\u003c/li\u003e\n\u003cli\u003eThe attacker configures or identifies an API key intended to have its operations explicitly restricted to a single, designated organization using the \u003ccode\u003elimited_to_orgs\u003c/code\u003e scope.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an API request to perform a destructive action, such as \u003ccode\u003eDELETE /organization\u003c/code\u003e or \u003ccode\u003eDELETE /organization/members\u003c/code\u003e, targeting a \u003cem\u003edifferent\u003c/em\u003e organization for which the API key is \u003cem\u003enot\u003c/em\u003e explicitly authorized.\u003c/li\u003e\n\u003cli\u003eThe Capgo application processes the API request, initiating an authorization check that includes a call to \u003ccode\u003erbac_check_permission_direct\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring this authorization process, the system incorrectly evaluates the full administrative permissions of the API key's owner-user across all their assigned organizations.\u003c/li\u003e\n\u003cli\u003eThe system fails to enforce the \u003ccode\u003elimited_to_orgs\u003c/code\u003e scope, neglecting the explicit restriction defined for the API key itself due to the flawed \u003ccode\u003erbac_check_permission_direct\u003c/code\u003e logic.\u003c/li\u003e\n\u003cli\u003eThe destructive API call (e.g., unauthorized organization deletion, member removal) is successfully executed against the unintended target organization, leading to unauthorized data destruction or disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-56246 can lead to severe consequences, including unauthorized data destruction, service disruption, and privilege escalation. An attacker can leverage an improperly scoped API key to delete entire Capgo organizations or remove critical members from them, even if the key was explicitly meant for a different scope. This can cause significant operational downtime, loss of data, and potentially compromise the integrity of multiple organizational structures within Capgo, affecting all users and data associated with the targeted organizations. The broad impact stems from the ability to affect multiple, supposedly isolated, organizations via a single compromised key.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch Capgo instances immediately to version 12.128.2 or later to address CVE-2026-56246.\u003c/li\u003e\n\u003cli\u003eReview and re-evaluate all existing Capgo API keys, especially those with \u003ccode\u003elimited_to_orgs\u003c/code\u003e scope, to ensure they adhere to the principle of least privilege and their permissions are correctly enforced post-patch.\u003c/li\u003e\n\u003cli\u003eImplement strict logging and monitoring for Capgo API key usage, specifically for destructive operations like \u003ccode\u003eDELETE /organization\u003c/code\u003e or \u003ccode\u003eDELETE /organization/members\u003c/code\u003e, to detect anomalous activity related to CVE-2026-56246.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T14:21:38Z","date_published":"2026-07-08T14:21:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-capgo-broken-access-control/","summary":"Capgo versions prior to 12.128.2 contain a broken access control vulnerability (CVE-2026-56246) in their organization management API where a scoped API key inherits the full permissions of its owner-user, allowing an attacker to perform destructive operations against unauthorized organizations, bypassing intended scope and leading to privilege escalation and impact.","title":"CVE-2026-56246 - Capgo Broken Access Control in Organization Management API","url":"https://feed.craftedsignal.io/briefs/2026-07-capgo-broken-access-control/"}],"language":"en","title":"CraftedSignal Threat Feed - Capgo","version":"https://jsonfeed.org/version/1.1"}