CVE-2026-56323
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk30th percentile - higher than 30% of all known CVEs
Summary
Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels.
Risk Assessment
This vulnerability allows remote attackers to gain access to information about applications and subscription status without authentication, potentially leading to privacy breaches and data security issues for the organization.
Recommendation
It is recommended to update Capgo to version 12.128.2 or later to mitigate this vulnerability. Additionally, implementing further security measures to restrict access to sensitive endpoints is advisable.
Original NVD description (English source)
Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.

