Description
Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to remain selectable. Attackers can continue deploying deleted bundles to devices by exploiting the missing app_versions.deleted filter in channel version joins.
Published: 2026-06-22
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions prior to 12.128.12 contain a flaw in the /updates endpoint where the deletion status of app versions is not respected during channel resolution. This missing filter means that bundles marked as deleted can still be queried and selected for deployment, allowing an attacker to re‑deploy code that should have been removed. The consequence is that devices may receive unwanted or malicious updates, potentially compromising integrity and availability.

Affected Systems

All installations of Capgo using versions earlier than 12.128.12 are affected. The CNA identifies the product as Capgo and the vulnerability applies to every instance of that application running a pre‑12.128.12 release.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. EPSS data is unavailable, so the likelihood of exploitation cannot be quantified precisely, and the vulnerability is not currently listed in CISA’s KEV catalog. Attackers would need to target the application's update mechanism, which is typically exposed over network interfaces, making remote exploitation plausible. Given the absence of detectable mitigations in the affected releases, the risk remains substantive until the vendor releases an update that enforces the deleted filter.

Generated by OpenCVE AI on June 22, 2026 at 23:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.12 or later, which implements the deleted filter in the /updates endpoint
  • Verify that the /updates API now rejects any bundle with a deleted flag; if not, temporarily restrict update deployments by filtering out deleted bundles in your own intermediaries
  • Remove any deleted bundles from active channels to prevent accidental deployment while awaiting the patch
  • Ensure that future deployments check for the deleted flag during channel resolution to avoid recurrence of this issue

Generated by OpenCVE AI on June 22, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to remain selectable. Attackers can continue deploying deleted bundles to devices by exploiting the missing app_versions.deleted filter in channel version joins.
Title Capgo - Deleted Bundle Selection via Missing Deletion Filter in /updates Endpoint
Weaknesses CWE-672
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T21:04:48.230Z

Reserved: 2026-06-20T12:59:07.917Z

Link: CVE-2026-56314

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:45:04Z

Weaknesses
  • CWE-672

    Operation on a Resource after Expiration or Release