← All CVEs

CVE-2026-56328

HIGH 7.1

Published 2026-06-30 · Last modified 2026-07-01

Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.

ELEVATED IMPACT

Severe if exploited (CVSS 7.1), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.2%chance of exploitation in 30 days · 16th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

7.1CVSS 4.0 · HIGH

  • ConfidentialityNone
  • IntegrityHigh
  • AvailabilityNone

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: Requires a low-privilege account
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable
  • Requirements: No special attack requirements

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Capgo

Products Capgo

Weakness (CWE)

  • CWE-670

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Sources: NVD · CVE.org · EPSS