Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-56220

MEDIUM NVD
CVSS Score 6.5
Severity MEDIUM
Published Jul 08, 2026
Vendor unknown

Description

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3_path values that are served to devices via the unauthenticated /updates endpoint, enabling OTA metadata poisoning and potential malicious asset delivery.

References