CVE Catalog

CVE-2026-56322

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Summary

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions. This allows attackers to enumerate private channels and leak version/config state.

Risk Assessment

Unauthenticated attackers can identify private channels and obtain details about bundle versions and platform-specific configurations, potentially leading to further attacks on the system.

Recommendation

It is recommended to update Capgo to version 12.128.2 or later to mitigate this vulnerability and implement additional privacy protection measures for endpoints.

Original NVD description (English source)

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions, allowing attackers to enumerate private channels and leak version/config state. Unauthenticated attackers can probe private channel names and distinguish valid channels from nonexistent ones based on response differences, revealing assigned bundle versions and platform-specific configuration details.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS