Plan Quota Enforcement Bypass in Capgo by Capgo
CVE-2026-56309
5.3MEDIUM
What is CVE-2026-56309?
Capgo versions prior to 12.128.2 contain a significant vulnerability where the /files/upload/attachments endpoint does not enforce necessary plan and quota restrictions. This oversight allows applications with insufficient privileges to create publicly accessible R2 objects, thereby circumventing established limitations. Attackers leveraging upload-scoped API keys can execute arbitrary file uploads that evade plan checks, persist beyond the normal bounds of application metadata, and remain intact even after app deletion. This not only poses a risk to data privacy but also facilitates the potential for misuse regarding storage and bandwidth resources.
Affected Version(s)
Capgo 0 < 12.128.2
Capgo 12.128.2
