Description
Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary attachments using upload-scoped API keys that bypass plan checks, persist outside normal bundle metadata, and survive app deletion, enabling storage and bandwidth abuse.
Problem types
Allocation of Resources Without Limits or Throttling
Product status
Any version before 12.128.2
12.128.2 (semver)
Credits
Judel777
References
github.com/.../capgo/security/advisories/GHSA-q52j-ggvx-cr4v
github.com/.../capgo/security/advisories/GHSA-q52j-ggvx-cr4v (GitHub Security Advisory (GHSA-q52j-ggvx-cr4v))
www.vulncheck.com/...unrestricted-attachment-upload-endpoint (VulnCheck Advisory: Capgo - Plan Bypass via Unrestricted Attachment Upload Endpoint)