CVE-2026-56307
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
Cap-go before version 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint, allowing authenticated attackers to cause duplicate-page loops and make later rows unreachable.
Risk Assessment
Attackers with app.read_devices access can exploit this vulnerability to trigger infinite pagination loops, leading to issues in device management workflows.
Recommendation
It is recommended to upgrade to Cap-go version 12.128.12 or later to mitigate this vulnerability and review access to the /private/devices endpoint.
Original NVD description (English source)
Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loops, prevent dataset traversal, and cause repeated processing in device-management workflows.

