Skip to main content

Capacitor Updater CVE-2026-56254

| EUVDEUVD-2026-42879 HIGH
Key Management Errors (CWE-320)
2026-07-10 VulnCheck GHSA-v24w-qp6p-4wjw
8.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.0 HIGH

AC:H because the attacker must first achieve MITM or server compromise; PR:N/UI:N since no device-side privileges or interaction are needed; impact is integrity-dominant (I:H) with limited C/A from malicious-update installation.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 16:16 EUVD
Analysis Generated
Jul 10, 2026 - 15:15 vuln.today

DescriptionCVE.org

In @capgo/capacitor-updater (Cap-go/capgo) before 12.128.2, the end-to-end encryption scheme distributes the private key to each device that downloads the app. Because the public key can be derived from the private key, an attacker performing a man-in-the-middle attack or compromising the Capgo server can create a validly signed update bundle and cause devices to install an update not produced by the original app maker.

AnalysisAI

Update-signing bypass in @capgo/capacitor-updater (capgo OTA plugin for Capacitor apps) before 12.128.2 undermines its end-to-end encryption by shipping the same private key to every device that downloads the app. Because the public verification key can be derived from that distributed private key, an attacker with a man-in-the-middle position or control of the Capgo delivery server can forge a validly signed update bundle and push attacker-controlled code to devices. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Extract distributed private key from app
Delivery
Derive full signing keypair
Exploit
Establish MITM or compromise Capgo server
Execution
Craft validly signed malicious update bundle
Persist
Device installs forged update
Impact
Attacker code runs on device

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to obtain the client-distributed private signing key (trivially recoverable because it ships inside every downloaded app) AND to occupy one of two positions on the update path: an active man-in-the-middle on the network channel between the device and the Capgo update server, or compromise/control of the Capgo server itself. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine integrity/software-supply-chain risk rather than a mere high-CVSS paper cut, but exploitation is gated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker extracts the embedded private key from a shipped app (or intercepts it) and, from a man-in-the-middle position on a shared/hostile network, serves a forged update bundle that carries a valid signature derived from the leaked keypair. The victim device accepts the bundle as authentic and installs attacker-controlled code; alternatively, an attacker who compromises the Capgo server pushes the malicious bundle to all devices at once. …
Remediation Vendor-released patch: upgrade @capgo/capacitor-updater to 12.128.2 or later, then rebuild and re-release the mobile app so devices carry the corrected key-handling logic; note that because the private key was already distributed with vulnerable builds, you should also treat the old signing keypair as compromised and rotate to a freshly generated keypair rather than reusing existing keys. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Create an inventory of all production mobile applications using @capgo/capacitor-updater versions prior to 12.128.2 and calculate total device exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy