Arbitrary Object Deletion in Capgo Product by Capgo Vendor
CVE-2026-56250
8.7HIGH
What is CVE-2026-56250?
Capgo versions before 12.128.2 face a significant vulnerability where upload-scoped API keys can manipulate the mutable app_versions.r2_path field via PostgREST. This vulnerability allows attackers to redirect r2_path to any arbitrary R2 bundle object. By selectively soft-deleting the attacker's version and triggering the on_version_update cleanup function, they can permanently delete the targeted victim's R2 object. This misconfiguration leads to service disruptions, including denial of service and compromise of bundle availability.
Affected Version(s)
Capgo 0 < 12.128.2
Capgo 12.128.2
