Plan Quota Enforcement Bypass in Capgo by Capgo
CVE-2026-56309

5.3MEDIUM

Key Information:

Vendor

Capgo

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-56309?

Capgo versions prior to 12.128.2 contain a significant vulnerability where the /files/upload/attachments endpoint does not enforce necessary plan and quota restrictions. This oversight allows applications with insufficient privileges to create publicly accessible R2 objects, thereby circumventing established limitations. Attackers leveraging upload-scoped API keys can execute arbitrary file uploads that evade plan checks, persist beyond the normal bounds of application metadata, and remain intact even after app deletion. This not only poses a risk to data privacy but also facilitates the potential for misuse regarding storage and bandwidth resources.

Affected Version(s)

Capgo 0 < 12.128.2

Capgo 12.128.2

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Judel777
.