CVE-2026-56249
HighCVSS 7.6Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
An authorization bypass vulnerability in Capgo before version 12.128.2 allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.create_channel permission can exploit a logic mismatch between existence validation and upsert operations.
Risk Assessment
Attackers can reassign channel ownership and modify critical production channel configurations, leading to unauthorized access and potential service disruption.
Recommendation
Upgrade Capgo to version 12.128.2 or later immediately to remediate the authorization bypass vulnerability.
Original NVD description (English source)
Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.create_channel permission can exploit a logic mismatch between existence validation and upsert operations to reassign channel ownership and modify critical production channel configurations.

