CVE-2026-56220
MEDIUM
NVD
CVSS Score
6.5
Severity
MEDIUM
Published
Jul 08, 2026
Vendor
unknown
Description
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3_path values that are served to devices via the unauthenticated /updates endpoint, enabling OTA metadata poisoning and potential malicious asset delivery.