Description
Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.
Published: 2026-06-22
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo version prior to 12.128.2 exposes an information disclosure flaw in the /functions/v1/channel_self endpoint. Unauthenticated attackers can send arbitrary GET requests with an app_id parameter to enumerate internal rollout channels, identify valid applications across tenants, and expose billing status. The weakness is a classic information disclosure vulnerability (CWE-200) that allows compromise of confidentiality without any authentication or device binding, potentially revealing sensitive deployment data to remote actors.

Affected Systems

Vulnerable systems are Capgo deployments using the Capgo product. No specific version numbers are provided in the source data, but the issue exists in all releases prior to 12.128.2.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this remotely through unauthenticated HTTP GET requests, making it practical for automated enumeration of channel names and application visibility.

Generated by OpenCVE AI on June 22, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Capgo to version 12.128.2 or later to eliminate the exposure.
  • Configure the API gateway or web server to require authentication for the /functions/v1/channel_self endpoint, or block access from untrusted networks.
  • Apply network segmentation and firewall rules to restrict access to Capgo control plane endpoints to trusted administrators only.

Generated by OpenCVE AI on June 22, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.
Title Capgo - Unauthenticated Channel Enumeration and App Oracle via GET /channel_self
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T21:04:49.612Z

Reserved: 2026-06-20T13:06:29.993Z

Link: CVE-2026-56323

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:45:04Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor