PatchSiren cyber security CVE debrief
CVE-2026-56220 Capgo CVE debrief
CVE-2026-56220 is an authorization bypass vulnerability in Capgo before version 12.128.2. The vulnerability exists in the public.manifest INSERT policy, allowing read-only org members to insert OTA manifest rows. This could enable attackers with read-only org access to inject malicious manifest entries with arbitrary s3_path values, served to devices via the unauthenticated /updates endpoint. This could lead to OTA metadata poisoning and potential malicious asset delivery.
- Vendor
- Capgo
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Organizations using Capgo versions prior to 12.128.2 should be aware of this vulnerability. Specifically, those with read-only org members who could potentially be exploited to inject malicious manifest entries. The vulnerability's high CVSS score of 7.1 indicates its potential impact.
Technical summary
The CVE-2026-56220 vulnerability is caused by an authorization bypass in the public.manifest INSERT policy of Capgo. This allows read-only org members to insert OTA manifest rows. The vulnerability can be exploited by attackers with read-only org access to inject malicious manifest entries. These entries can include arbitrary s3_path values that are served to devices via the unauthenticated /updates endpoint. This could lead to OTA metadata poisoning and the potential delivery of malicious assets to devices.
Defensive priority
High priority should be given to updating Capgo to version 12.128.2 or later. Organizations should also review their current org member permissions and monitor for any suspicious activity related to OTA manifest insertions.
Recommended defensive actions
- Update Capgo to version 12.128.2 or later.
- Review and restrict org member permissions to prevent unauthorized manifest insertions.
- Monitor for suspicious activity related to OTA manifest insertions and /updates endpoint usage.
- Implement additional security measures to detect and prevent potential malicious asset delivery.
- Perform a thorough review of the organization's Capgo deployment to identify potential exposure.
- Verify that all read-only org members have their permissions reviewed and restricted if necessary.
- Track and document all changes made to the Capgo deployment and configurations.
Evidence notes
The CVE record was published on 2026-07-08T14:17:15.277Z and was last modified on 2026-07-08T18:16:33.370Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T14:17:15.277Z and has not been modified since then. The NVD entry is currently Deferred.