CVE-2026-56324
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channel_self endpoint that allows attackers to circumvent rate limiting by rotating the user-controlled device_id parameter.
Risk Assessment
Attackers can send multiple requests per second by changing device_id values to flood the channel_devices table and cause database exhaustion.
Recommendation
It is recommended to upgrade to version 12.128.2 or later to mitigate this vulnerability and implement additional rate limiting mechanisms.
Original NVD description (English source)
Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channel_self endpoint that allows attackers to circumvent rate limiting by rotating the user-controlled device_id parameter. Attackers can send multiple requests per second by changing device_id values to flood the channel_devices table and cause database exhaustion.

