Description
Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can exploit this missing policy to cause build status and error details to remain unpersisted, leaving build_requests rows stuck in pending state with null last_error values.
Published: 2026-06-30
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions prior to 12.128.2 lack an UPDATE row‑level security policy on the build_requests table, preventing both API‑key and anonymous access from persisting builder status updates. Attackers can trigger the missing policy to cause build status and error details to remain unpersisted, resulting in build_requests rows that stay in a pending state with null last_error values. This flaw does not expose sensitive data but disrupts the accuracy and reliability of build tracking.

Affected Systems

The vulnerability affects Capgo system component Capgo:Capgo, all deployments running a version older than 12.128.2.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV. An attacker can exploit the flaw by sending build status updates through the API using an ordinary API key or anonymous access, causing the persistence layer to reject the update. The result is a denial‑of‑service condition for build monitoring rather than a direct data breach or privilege escalation.

Generated by OpenCVE AI on June 30, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Capgo to version 12.128.2 or newer, which includes the missing UPDATE RLS policy for the build_requests table.
  • Configure the build_requests table to enforce an UPDATE RLS policy that allows the intended roles to write status changes, ensuring API‑key and anonymous requests can persist build results.
  • Limit or disable anonymous API access until the policy is in place to prevent incomplete build status updates from being processed.

Generated by OpenCVE AI on June 30, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can exploit this missing policy to cause build status and error details to remain unpersisted, leaving build_requests rows stuck in pending state with null last_error values.
Title Capgo - Missing UPDATE RLS Policy for Build Status Persistence
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:34.059Z

Reserved: 2026-06-20T13:13:56.012Z

Link: CVE-2026-56334

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses