Description
Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loops, prevent dataset traversal, and cause repeated processing in device-management workflows.
Published: 2026-06-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cap-go before 12.128.12 suffers a broken cursor pagination flaw in the /private/devices endpoint served via Cloudflare/workerd. The flaw allows an authenticated user with app.read_devices rights to supply a non-advancing cursor filter that forces the paging mechanism into a duplicate-page loop, leaving subsequent rows unreachable and potentially causing repeated processing in device-management workflows. This weakness is a classic example of CWE-670, which deals with broken or missing pagination logic.

Affected Systems

The affected system is the Cap-go application version prior to 12.128.12. Attackers need authenticated access to the /private/devices endpoint.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated and possess app.read_devices privileges to exploit the flaw. The lack of an available running exploit does not preclude the abusive use of the feature for denial or disruption of device-listing operations.

Generated by OpenCVE AI on June 20, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Cap-go to version 12.128.12 or later to receive the fixed pagination logic.
  • If upgrading is not immediately possible, revoke app.read_devices permissions from users who do not need device-listing capabilities, or restrict access to the /private/devices endpoint.
  • Monitor application logs for repeated pagination requests and database lock patterns that indicate an ongoing loop.

Generated by OpenCVE AI on June 20, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loops, prevent dataset traversal, and cause repeated processing in device-management workflows.
Title Cap-go - Broken Cursor Pagination in /private/devices Endpoint
Weaknesses CWE-670
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:47.476Z

Reserved: 2026-06-20T12:53:19.893Z

Link: CVE-2026-56307

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T17:30:08Z

Weaknesses
  • CWE-670

    Always-Incorrect Control Flow Implementation