Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H because the attacker must first achieve MITM or server compromise; PR:N/UI:N since no device-side privileges or interaction are needed; impact is integrity-dominant (I:H) with limited C/A from malicious-update installation.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
In @capgo/capacitor-updater (Cap-go/capgo) before 12.128.2, the end-to-end encryption scheme distributes the private key to each device that downloads the app. Because the public key can be derived from the private key, an attacker performing a man-in-the-middle attack or compromising the Capgo server can create a validly signed update bundle and cause devices to install an update not produced by the original app maker.
AnalysisAI
Update-signing bypass in @capgo/capacitor-updater (capgo OTA plugin for Capacitor apps) before 12.128.2 undermines its end-to-end encryption by shipping the same private key to every device that downloads the app. Because the public verification key can be derived from that distributed private key, an attacker with a man-in-the-middle position or control of the Capgo delivery server can forge a validly signed update bundle and push attacker-controlled code to devices. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to obtain the client-distributed private signing key (trivially recoverable because it ships inside every downloaded app) AND to occupy one of two positions on the update path: an active man-in-the-middle on the network channel between the device and the Capgo update server, or compromise/control of the Capgo server itself. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine integrity/software-supply-chain risk rather than a mere high-CVSS paper cut, but exploitation is gated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker extracts the embedded private key from a shipped app (or intercepts it) and, from a man-in-the-middle position on a shared/hostile network, serves a forged update bundle that carries a valid signature derived from the leaked keypair. The victim device accepts the bundle as authentic and installs attacker-controlled code; alternatively, an attacker who compromises the Capgo server pushes the malicious bundle to all devices at once. … |
| Remediation | Vendor-released patch: upgrade @capgo/capacitor-updater to 12.128.2 or later, then rebuild and re-release the mobile app so devices carry the corrected key-handling logic; note that because the private key was already distributed with vulnerable builds, you should also treat the old signing keypair as compromised and rotate to a freshly generated keypair rather than reusing existing keys. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Create an inventory of all production mobile applications using @capgo/capacitor-updater versions prior to 12.128.2 and calculate total device exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-320 – Key Management Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42879
GHSA-v24w-qp6p-4wjw