Skip to main content

Capgo CVE-2026-56314

| EUVDEUVD-2026-38371 HIGH
Operation on a Resource after Expiration or Release (CWE-672)
2026-06-22 VulnCheck
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network-reachable /updates path with low-privileged authenticated channel operator (PR:L); integrity-high because attacker controls code shipped to devices, availability-low, no confidentiality impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 23:02 EUVD
Analysis Generated
Jun 22, 2026 - 22:18 vuln.today

DescriptionCVE.org

Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to remain selectable. Attackers can continue deploying deleted bundles to devices by exploiting the missing app_versions.deleted filter in channel version joins.

AnalysisAI

Logic flaw in Capgo before 12.128.12 lets authenticated attackers continue serving soft-deleted application bundles to end-user devices because the /updates endpoint omits an app_versions.deleted filter when joining channels. Affected operators of the Capgo live-update service (a CodePush-style OTA platform for Capacitor mobile apps) can have purged bundles re-selected and pushed downstream, undermining rollback and removal workflows. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Capgo with channel-management role
Delivery
Soft-delete target bundle in app_versions
Exploit
Keep or reattach bundle to live channel
Execution
Devices query /updates endpoint
Persist
Vulnerable join returns deleted bundle
Impact
Mobile clients install withdrawn code

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Capgo account with privileges to manage channels and bundles (CVSS PR:L), a Capgo backend running a version below 12.128.12, and at least one bundle that has been soft-deleted (app_versions.deleted set) while remaining associated with - or reassignable to - a live channel used by production devices via the /updates endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L) describes a network-reachable, low-complexity, authenticated attack with high integrity impact and low availability impact on the vulnerable system only - consistent with an authenticated channel/bundle operator being able to influence which code reaches devices, rather than an unauthenticated takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged channel-management account on a Capgo instance - either a malicious insider or someone who compromised such an account - marks a previously-pulled bundle as deleted in the UI but then reassigns or keeps it associated with a production channel. Because the /updates join omits the app_versions.deleted filter, devices polling that channel continue to receive the supposedly-deleted bundle, letting the attacker silently re-deploy a withdrawn, vulnerable, or backdoored version of the mobile app code. …
Remediation Vendor-released patch: Capgo 12.128.12 - upgrade the Capgo backend to 12.128.12 or later as described in GHSA-hqq2-87cp-j83x (https://github.com/Cap-go/capgo/security/advisories/GHSA-hqq2-87cp-j83x) and corroborated by https://www.vulncheck.com/advisories/capgo-deleted-bundle-selection-via-missing-deletion-filter-in-updates-endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify current Capgo deployment version; audit administrative access and operations logs for the past 30 days; catalog all bundles deleted in the past 90 days. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Capgo

View all
CVE-2026-56237 CRITICAL
9.3 Jun 24

Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin

CVE-2026-56223 CRITICAL
9.3 Jun 24

Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal

CVE-2026-56081 CRITICAL
9.3 Jun 19

Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a

CVE-2026-56073 CRITICAL
9.3 Jun 19

Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering

CVE-2026-56324 HIGH
8.8 Jun 22

Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo

CVE-2026-56245 HIGH
8.8 Jun 24

Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing

CVE-2026-56233 HIGH
8.7 Jun 30

Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat

CVE-2026-56323 HIGH
8.7 Jun 22

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se

CVE-2026-56305 HIGH
8.7 Jul 10

Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (

CVE-2026-56300 HIGH
8.7 Jun 30

Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse

CVE-2026-56219 HIGH
8.7 Jun 30

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin

CVE-2026-56230 HIGH
8.7 Jun 30

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited

Share

CVE-2026-56314 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy