Skip to main content

Capgo CVE-2026-56322

| EUVDEUVD-2026-38438 HIGH
Information Exposure (CWE-200)
2026-06-23 VulnCheck GHSA-53rj-6v76-ccwp
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated network request to /updates with no user interaction; confidentiality-only leak of private channel metadata, no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 23, 2026 - 14:17 EUVD
Analysis Generated
Jun 23, 2026 - 13:06 vuln.today

DescriptionCVE.org

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions, allowing attackers to enumerate private channels and leak version/config state. Unauthenticated attackers can probe private channel names and distinguish valid channels from nonexistent ones based on response differences, revealing assigned bundle versions and platform-specific configuration details.

AnalysisAI

Information disclosure in Capgo before 12.128.2 allows unauthenticated remote attackers to enumerate private update channels via the /updates endpoint, because the defaultChannel parameter is resolved before privacy restrictions are enforced. Response differences let attackers distinguish valid private channels from nonexistent ones and harvest assigned bundle versions plus platform-specific configuration state. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed Capgo /updates endpoint
Delivery
Enumerate candidate defaultChannel names
Exploit
Probe endpoint unauthenticated
Execution
Observe response differences
Persist
Confirm valid private channels
Impact
Harvest bundle versions and config

Vulnerability AssessmentAI

Exploitation The target must run a Capgo update server older than 12.128.2 with the /updates endpoint network-reachable to the attacker, and the attacker must supply the defaultChannel query parameter; no authentication, user interaction, special platform, or non-default configuration is required because the vulnerable code path is the standard unauthenticated client-update flow. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N) and score of 8.7 reflect a network-reachable, unauthenticated, low-complexity confidentiality-only flaw, which is consistent with the described oracle behavior on /updates. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker scripts requests to a target's /updates endpoint, iterating through guessed or wordlist-derived defaultChannel values such as internal-beta, customer-acme, or staging-v2, and observes response differences to distinguish real private channels from nonexistent ones. For each confirmed channel they harvest the disclosed bundle version and platform-specific configuration, building a map of the victim's internal release pipeline and customer-specific deployments that can inform follow-on social engineering or targeted supply-chain reconnaissance.
Remediation Vendor-released patch: upgrade Capgo to 12.128.2 or later, which reorders the /updates handler to enforce privacy restrictions on the defaultChannel parameter before resolving channel metadata, per the GHSA-pgmr-gw53-7f77 advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Capgo instances and identify any running versions before 12.128.2; assess whether private update channels are configured and determine exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Capgo

View all
CVE-2026-56237 CRITICAL
9.3 Jun 24

Authentication bypass in Capgo before 12.128.2 lets remote unauthenticated attackers mint arbitrary API keys by tamperin

CVE-2026-56223 CRITICAL
9.3 Jun 24

Cross-domain SSO account takeover in Capgo before 12.128.2 allows an attacker with enterprise org admin access and a mal

CVE-2026-56081 CRITICAL
9.3 Jun 19

Account pre-registration hijack in Capgo before 12.128.2 lets a remote unauthenticated attacker claim an account under a

CVE-2026-56073 CRITICAL
9.3 Jun 19

Authentication bypass in Capgo prior to version 12.128.2 lets attackers defeat email-based OTP verification by tampering

CVE-2026-56324 HIGH
8.8 Jun 22

Rate-limit bypass in Capgo versions prior to 12.128.2 lets remote unauthenticated attackers flood the channel_self endpo

CVE-2026-56245 HIGH
8.8 Jun 24

Cross-tenant data poisoning in Supabase Capgo before 12.128.2 allows remote unauthenticated attackers to corrupt billing

CVE-2026-56233 HIGH
8.7 Jun 30

Server-side privilege escalation in Capgo before 12.128.2 lets authenticated users holding build permissions abuse a pat

CVE-2026-56323 HIGH
8.7 Jun 22

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers query the /functions/v1/channel_se

CVE-2026-56305 HIGH
8.7 Jul 10

Account takeover in Capgo before 12.128.2 stems from a password-change endpoint that omits current-password validation (

CVE-2026-56300 HIGH
8.7 Jun 30

Information disclosure in Capgo (Capacitor live-update/OTA platform) before 12.128.2 lets unauthenticated callers abuse

CVE-2026-56219 HIGH
8.7 Jun 30

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers read organization RBAC role bindin

CVE-2026-56230 HIGH
8.7 Jun 30

Cross-tenant authorization bypass in Capgo before 12.128.2 lets authenticated users impersonate another tenant's limited

Share

CVE-2026-56322 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy