Impact
Capgo versions prior to 12.128.2 lack an UPDATE row‑level security policy on the build_requests table, preventing both API‑key and anonymous access from persisting builder status updates. Attackers can trigger the missing policy to cause build status and error details to remain unpersisted, resulting in build_requests rows that stay in a pending state with null last_error values. This flaw does not expose sensitive data but disrupts the accuracy and reliability of build tracking.
Affected Systems
The vulnerability affects Capgo system component Capgo:Capgo, all deployments running a version older than 12.128.2.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV. An attacker can exploit the flaw by sending build status updates through the API using an ordinary API key or anonymous access, causing the persistence layer to reject the update. The result is a denial‑of‑service condition for build monitoring rather than a direct data breach or privilege escalation.
OpenCVE Enrichment