CVE-2026-56221 Cap-go CVE debrief

Who should care

Organizations using Cap-go before version 12.128.2 should be aware of this vulnerability and take immediate action to remediate. Specifically, administrators of Cap-go instances with exposed analytics engines, security teams monitoring for potential SQL injection attacks, and developers integrating Cap-go with other applications should prioritize patching and monitoring.

Technical summary

The vulnerability exists in the cloudflare.ts file of Cap-go, where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. This allows authenticated users with read-level API key permissions to inject arbitrary SQL through deviceIds, search, version_name, cursor, and actions parameters. The vulnerability can be exploited to access analytics data belonging to other users or applications.

Defensive priority

High priority should be given to patching Cap-go instances to version 12.128.2 or later. In the meantime, defenders can implement additional monitoring and logging to detect potential SQL injection attacks.

Recommended defensive actions

• Patch Cap-go instances to version 12.128.2 or later
• Implement additional monitoring and logging to detect potential SQL injection attacks
• Restrict API access to only necessary users and applications
• Use parameterized queries or prepared statements to prevent SQL injection
• Regularly review and update Cap-go configurations to ensure security best practices are followed

Evidence notes

The CVE-2026-56221 vulnerability was reported by Vulncheck and has been confirmed by the Cap-go development team. The vulnerability affects Cap-go versions before 12.128.2. The CVE has a CVSS score of 7.1 and is classified as HIGH.

Official resources