ГлавнаяУязвимости → CVE-2026-56250
7.5высокая

CVE-2026-56250

Описание

Capgo before 12.128.2 allows upload-scoped API keys to modify the mutable app_versions.r2_path field through PostgREST, enabling retargeting to arbitrary R2 bundle objects. Attackers can patch r2_path to point to victim objects, soft-delete the attacker-controlled version, and trigger the on_version_update cleanup function to delete the victim R2 object, causing denial of service and bundle availability disruption.

CVSS
Балл7.5 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Источники
https://github.com/Cap-go/capgo/security/advisories/GHSA-pw8p-5jg6-cxj3https://www.vulncheck.com/advisories/capgo-arbitrary-r2-object-deletion-via-mutable-r2-path-in-app-versionshttps://github.com/Cap-go/capgo/security/advisories/GHSA-pw8p-5jg6-cxj3