PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56220 Capgo CVE debrief

CVE-2026-56220 is an authorization bypass vulnerability in Capgo before version 12.128.2. The vulnerability exists in the public.manifest INSERT policy, allowing read-only org members to insert OTA manifest rows. This could enable attackers with read-only org access to inject malicious manifest entries with arbitrary s3_path values, served to devices via the unauthenticated /updates endpoint. This could lead to OTA metadata poisoning and potential malicious asset delivery.

Vendor
Capgo
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Organizations using Capgo versions prior to 12.128.2 should be aware of this vulnerability. Specifically, those with read-only org members who could potentially be exploited to inject malicious manifest entries. The vulnerability's high CVSS score of 7.1 indicates its potential impact.

Technical summary

The CVE-2026-56220 vulnerability is caused by an authorization bypass in the public.manifest INSERT policy of Capgo. This allows read-only org members to insert OTA manifest rows. The vulnerability can be exploited by attackers with read-only org access to inject malicious manifest entries. These entries can include arbitrary s3_path values that are served to devices via the unauthenticated /updates endpoint. This could lead to OTA metadata poisoning and the potential delivery of malicious assets to devices.

Defensive priority

High priority should be given to updating Capgo to version 12.128.2 or later. Organizations should also review their current org member permissions and monitor for any suspicious activity related to OTA manifest insertions.

Recommended defensive actions

  • Update Capgo to version 12.128.2 or later.
  • Review and restrict org member permissions to prevent unauthorized manifest insertions.
  • Monitor for suspicious activity related to OTA manifest insertions and /updates endpoint usage.
  • Implement additional security measures to detect and prevent potential malicious asset delivery.
  • Perform a thorough review of the organization's Capgo deployment to identify potential exposure.
  • Verify that all read-only org members have their permissions reviewed and restricted if necessary.
  • Track and document all changes made to the Capgo deployment and configurations.

Evidence notes

The CVE record was published on 2026-07-08T14:17:15.277Z and was last modified on 2026-07-08T18:16:33.370Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T14:17:15.277Z and has not been modified since then. The NVD entry is currently Deferred.