PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56335 Capgo CVE debrief

CVE-2026-56335 is an authorization bypass vulnerability in Capgo before 12.128.2. The vulnerability allows write-scoped API keys to directly mutate protected channel configuration fields through PostgREST by exploiting a null authentication check in the immutability trigger. Attackers with write API keys can modify sensitive channel attributes such as public, allow_emulator, and security-related flags outside intended application routes. This vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.

Vendor
Capgo
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Capgo before version 12.128.2 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and updating their API keys and ensuring that only authorized personnel have access to sensitive channel configuration. Operators, platform administrators, vulnerability management teams, and security teams should review the affected scope and take necessary actions.

Technical summary

The vulnerability exists due to a null authentication check in the immutability trigger of PostgREST. This allows write-scoped API keys to modify protected channel configuration fields, including public, allow_emulator, and security-related flags. The affected product is Capgo before version 12.128.2. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. The technical impact is that attackers with write API keys can modify sensitive channel attributes outside intended application routes.

Defensive priority

High

Recommended defensive actions

  • Review and update API keys to ensure only authorized personnel have access to sensitive channel configuration.
  • Apply the patch from Capgo version 12.128.2 or later.
  • Monitor for suspicious activity related to channel configuration changes.
  • Implement additional authentication checks for PostgREST API requests.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-10T15:16:42.880Z and last modified on 2026-07-10T16:16:34.187Z. The NVD entry is currently Deferred. The vulnerability was disclosed by Vulncheck. Evidence is limited, and defenders should verify the affected scope and severity with the vendor. The immutability trigger in PostgREST allows write-scoped API keys to modify protected channel configuration fields, including public, allow_emulator, and security-related flags.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T15:16:42.880Z and has not been modified since then. The NVD entry is currently Deferred.