CVE Catalog

CVE-2026-56328

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A vulnerability in Capgo before version 12.128.2 allows multiple public channels for the same app and platform to coexist, while unnamed /updates requests without a default channel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create an ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.

Risk Assessment

The organization risks delivering incorrect or unexpected updates to clients, potentially leading to security, stability, or compliance issues.

Recommendation

Immediately upgrade Capgo to version 12.128.2 or later, and review channel configuration and manager permissions to ensure a clear default channel for each app and platform.

Original NVD description (English source)

Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS