CVE Catalog

CVE-2026-56307

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

Cap-go before version 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint, allowing authenticated attackers to cause duplicate-page loops and make later rows unreachable.

Risk Assessment

Attackers with app.read_devices access can exploit this vulnerability to trigger infinite pagination loops, leading to issues in device management workflows.

Recommendation

It is recommended to upgrade to Cap-go version 12.128.12 or later to mitigate this vulnerability and review access to the /private/devices endpoint.

Original NVD description (English source)

Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loops, prevent dataset traversal, and cause repeated processing in device-management workflows.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS