Arbitrary Object Deletion in Capgo Product by Capgo Vendor
CVE-2026-56250

8.7HIGH

Key Information:

Vendor

Capgo

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-56250?

Capgo versions before 12.128.2 face a significant vulnerability where upload-scoped API keys can manipulate the mutable app_versions.r2_path field via PostgREST. This vulnerability allows attackers to redirect r2_path to any arbitrary R2 bundle object. By selectively soft-deleting the attacker's version and triggering the on_version_update cleanup function, they can permanently delete the targeted victim's R2 object. This misconfiguration leads to service disruptions, including denial of service and compromise of bundle availability.

Affected Version(s)

Capgo 0 < 12.128.2

Capgo 12.128.2

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Judel777
.