Impact
An authorization bypass exists in Capgo’s channel creation endpoint that lets an authenticated user with the app.create_channel permission overwrite an existing channel by reusing its name. By doing so, the attacker becomes the owner of the channel and can alter critical production channel configurations. This flaw is an instance of CWE‑285, representing a missing authorization check.
Affected Systems
The vulnerability applies to Capgo releases preceding 12.128.2. No additional specific product variants or build numbers are provided. Users of older versions should verify their installed revision and upgrade if necessary.
Risk and Exploitability
The CVSS score of 7.2 signals a high severity. The EPSS score is not available, so exploitation likelihood is not quantified, yet the flaw requires the attacker to be authenticated and possess channel‑creation rights. Although it is not catalogued in CISA KEV, the potential to take over channel ownership and modify configurations constitutes a significant risk for environments that depend on Capgo for channel management.
OpenCVE Enrichment