Description
Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can inject arbitrary SQL through deviceIds, search, version_name, cursor, and actions parameters to access analytics data belonging to other users or applications.
Published: 2026-06-22
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cap-go before version 12.128.2 contains SQL injection flaws in cloudflare.ts. User‑controlled fields from API request bodies—such as deviceIds, search, version_name, cursor, and actions—are concatenated directly into SQL query strings without sanitization or parameterization. This allows an attacker to inject arbitrary SQL statements that can read, modify, or delete analytics data belonging to other users or applications.

Affected Systems

Cap‑go, all deployments running a version earlier than 12.128.2. The vulnerability exists in the cloudflare.ts module of the Cap‑go application and applies to any instance that exposes the Analytics Engine API.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high level of risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers who possess a read‑level API key can exploit the flaw by sending crafted request bodies to the Analytics Engine endpoints. This authenticated attack vector can grant unauthorized access to sensitive analytical data, potentially compromising confidentiality. No elevation of privilege or remote code execution is described, so the threat is focused on data exposure.

Generated by OpenCVE AI on June 22, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Cap‑go to version 12.128.2 or later, which removes the unsafe query construction.
  • Restrict API keys to the minimum permissions necessary and avoid providing read‑level keys where not required.
  • Audit current Analytics Engine API usage for unexplained queries and review logs for signs of injection activity.

Generated by OpenCVE AI on June 22, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can inject arbitrary SQL through deviceIds, search, version_name, cursor, and actions parameters to access analytics data belonging to other users or applications.
Title Cap-go - SQL Injection in Cloudflare Analytics Engine Queries via cloudflare.ts
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T21:04:43.355Z

Reserved: 2026-06-19T21:43:24.737Z

Link: CVE-2026-56221

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:45:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')