CVE-2026-56307 Overview
CVE-2026-56307 is a broken cursor pagination vulnerability in Cap-go (capgo) versions before 12.128.12. The flaw resides in the /private/devices endpoint running on the Cloudflare/workerd path. Authenticated attackers holding app.read_devices access can supply non-advancing cursor filters that cause the pagination logic to loop on the same page. This makes later rows in the dataset unreachable and triggers repeated processing in device-management workflows. The vulnerability is classified under [CWE-670: Always-Incorrect Control Flow Implementation].
Critical Impact
Authenticated attackers can cause duplicate-page loops in the /private/devices endpoint, preventing full dataset traversal and degrading availability of device-management workflows.
Affected Products
- Cap-go (capgo) versions prior to 12.128.12
- /private/devices endpoint on the Cloudflare/workerd runtime path
- Device-management workflows that depend on cursor-based pagination over the capgo API
Discovery Timeline
- 2026-06-20 - CVE-2026-56307 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-56307
Vulnerability Analysis
The /private/devices endpoint in Cap-go implements cursor-based pagination to traverse device records. The cursor logic fails to advance correctly when specific filter values are supplied by the caller. Instead of moving the cursor forward after each page, the endpoint returns the same set of rows on subsequent requests. Clients iterating through the dataset enter an infinite loop and never reach later records.
The issue requires authentication and the app.read_devices permission, limiting exploitation to users already provisioned with read access. The attack does not expose new data or compromise integrity. The impact is confined to availability of device enumeration and any automation that depends on full traversal of the device list.
With an EPSS score of approximately 0.238% (percentile 14.687), automated exploitation activity is currently rated as low likelihood. No known exploits, public proof-of-concept code, or CISA KEV listing exist at the time of publication.
Root Cause
The root cause is a control-flow defect in the cursor construction logic. Filter parameters propagated into the next-cursor computation can produce a cursor identical to the prior one. The endpoint never reaches a termination condition, so iteration continues indefinitely against the same dataset window.
Attack Vector
An authenticated client with app.read_devices privilege issues a request to /private/devices with a crafted filter parameter. Because the returned cursor does not advance, any consumer following the cursor chain re-fetches the same page repeatedly. Attackers can weaponize this to inflate request volume, stall background jobs, or hide records beyond the initial page from operators relying on paginated views.
No verified exploit code is available. Refer to the GitHub Security Advisory and the VulnCheck Advisory for vendor-confirmed technical detail.
Detection Methods for CVE-2026-56307
Indicators of Compromise
- Repeated GET /private/devices requests from the same authenticated principal returning identical cursor values across responses.
- Sudden, sustained increases in request volume against the /private/devices endpoint without corresponding growth in distinct device IDs returned.
- Device-management jobs that fail to complete or that reprocess the same device records on each run.
Detection Strategies
- Inspect Cloudflare/workerd access logs for sequences of paginated requests where the cursor query parameter does not change between consecutive responses.
- Correlate API consumer behavior with the app.read_devices scope to identify principals iterating without progress.
- Compare the count of unique device IDs returned during a pagination session against the total devices expected for the tenant.
Monitoring Recommendations
- Alert on pagination sessions that exceed a configured page-count threshold without yielding new device identifiers.
- Track per-token request rates against /private/devices and flag deviations from baseline.
- Capture and retain cursor values in API logs to enable retrospective analysis of loop conditions.
How to Mitigate CVE-2026-56307
Immediate Actions Required
- Upgrade Cap-go (capgo) to version 12.128.12 or later, which contains the fix for the broken cursor pagination logic.
- Audit existing API tokens holding app.read_devices and revoke any that are not required for current operations.
- Review automation that consumes /private/devices to ensure it enforces a maximum iteration count when traversing cursors.
Patch Information
The vulnerability is resolved in Cap-go release 12.128.12. Patch details and the corrected cursor advancement logic are documented in the GitHub Security Advisory GHSA-8p6w-x7jg-v4xq. Operators running self-hosted deployments on Cloudflare/workerd should redeploy with the patched build and validate that paginated traversal terminates against test datasets.
Workarounds
- Enforce a server-side or client-side cap on the number of pagination iterations permitted per session against /private/devices.
- Restrict the app.read_devices permission to trusted service principals until the patched version is deployed.
- Implement rate limiting on the /private/devices endpoint at the Cloudflare edge to contain loop-induced request amplification.
# Example: rate-limit /private/devices at the Cloudflare edge
# (illustrative configuration - adapt to your deployment)
wrangler rules add \
--zone <zone-id> \
--expression 'http.request.uri.path eq "/private/devices"' \
--action rate_limit \
--requests-per-period 60 \
--period 60
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

