CVE-2026-56307
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
20/06/2026
Last modified:
22/06/2026
Description
Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.read_devices access can exploit non-advancing cursor filters to trigger infinite pagination loops, prevent dataset traversal, and cause repeated processing in device-management workflows.
Impact
Base Score 4.0
5.30
Severity 4.0
MEDIUM
Base Score 3.x
4.30
Severity 3.x
MEDIUM



