CVE-2026-56328 PUBLISHED

Capgo - Integrity Issue in Release Routing via Multiple Public Channels

Assigner: VulnCheck
Reserved: 20.06.2026 Published: 30.06.2026 Updated: 01.07.2026

Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.1

Product Status

Vendor Capgo
Product Capgo
Versions Default: unaffected
  • affected from 0 to 12.128.2 (excl.)
  • Version 12.128.2 is unaffected

Credits

  • Judel777 reporter

References

Problem Types

  • Always-Incorrect Control Flow Implementation CWE