CVE-2026-56335 in Capgo
Summary
by MITRE • 07/10/2026
Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API keys can directly mutate protected channel configuration fields through PostgREST by exploiting a null authentication check in the immutability trigger. Attackers with write API keys can modify sensitive channel attributes such as public, allow_emulator, and security-related flags outside intended application routes.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability represents a critical authorization bypass flaw in Capgo versions prior to 12.128.2 that stems from improper authentication validation within the PostgREST backend infrastructure. The weakness manifests through an immutability trigger that fails to properly validate authentication context when processing channel configuration mutations, creating a pathway for unauthorized modifications of protected system attributes. The vulnerability specifically affects write-scoped API keys which should normally be restricted to read operations but can exploit this null authentication check to directly manipulate sensitive channel parameters.
The technical implementation of this flaw resides in the database trigger mechanism that governs channel configuration changes within the PostgREST framework. When a write API key attempts to modify channel properties, the immutability trigger should verify that the operation originates from an authenticated and authorized source. However, due to the null authentication check implementation, the trigger fails to properly validate the request context, allowing malicious actors to bypass standard authorization controls. This design flaw enables attackers to directly mutate fields such as public flags, allow_emulator settings, and other security-sensitive channel attributes without proper validation.
The operational impact of this vulnerability extends beyond simple data modification capabilities, as it fundamentally undermines the application's access control model and configuration integrity. Attackers with write API keys can potentially compromise channel security by enabling emulators, modifying public access settings, or adjusting other critical security flags that should normally require administrative privileges. This creates a persistent threat vector where unauthorized modifications can persist across system sessions and potentially impact multiple connected devices or services that rely on the compromised channel configurations.
This vulnerability aligns with CWE-863 (Incorrect Authorization) and represents a classic case of privilege escalation through improper access control implementation. From an attack framework perspective, it maps to ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) and T1566.002 (Phishing: Spearphishing Attachments), as attackers could leverage compromised write credentials to gain deeper system control through configuration manipulation. The vulnerability also intersects with CWE-284 (Improper Access Control) and CWE-352 (Cross-Site Request Forgery) in its ability to bypass expected authorization boundaries.
Effective mitigations for this vulnerability require immediate patching of Capgo installations to version 12.128.2 or later, which includes proper authentication validation within the immutability triggers. Organizations should implement comprehensive monitoring of channel configuration changes and establish automated alerting for unauthorized modifications to sensitive flags such as public access settings and emulator allowances. Additionally, security teams should conduct thorough review of all API key scopes and ensure that write privileges are properly segmented from administrative functions. Network-level controls including API gateway rate limiting and request validation can provide additional defense-in-depth measures while the permanent fix is implemented across all affected systems.