Description
Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channel_self endpoint that allows attackers to circumvent rate limiting by rotating the user-controlled device_id parameter. Attackers can send multiple requests per second by changing device_id values to flood the channel_devices table and cause database exhaustion.
Published: 2026-06-22
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo before 12.128.2 has a flaw in the channel_self API that allows attackers to bypass server‑side rate limiting by rotating a user‑controlled device_id value on each request. By rapidly changing device_id an attacker can send an unlimited number of requests per second, filling the channel_devices table and exhausting database resources. This results in denial of service for legitimate users and may impact overall system availability. The weakness is an instance of improper resource limiting (CWE-770).

Affected Systems

The vulnerability affects the Capgo Capgo application for all versions earlier than 12.128.2. Attackers must target the public channel_self endpoint exposed by the Capgo service.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the lack of an EPSS score means current exploit probability is unknown but the vulnerability remains high risk due to its potential for DoS. It is not listed in CISA’s KEV catalog. The likely attack vector is external network traffic to the channel_self endpoint, as the endpoint accepts user input and does not enforce strict limits on request rate when device_id changes.

Generated by OpenCVE AI on June 22, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Capgo update to version 12.128.2 or newer
  • If immediate upgrade is not feasible, implement external rate‑limiting on the channel_self endpoint (e.g., using an API gateway or traffic controller) to constrain requests per second regardless of device_id changes
  • Monitor database performance and application logs for high request volumes and device_id rotation patterns

Generated by OpenCVE AI on June 22, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channel_self endpoint that allows attackers to circumvent rate limiting by rotating the user-controlled device_id parameter. Attackers can send multiple requests per second by changing device_id values to flood the channel_devices table and cause database exhaustion.
Title Capgo - Rate Limit Bypass via User-Controlled device_id Parameter
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T21:04:50.285Z

Reserved: 2026-06-20T13:06:29.994Z

Link: CVE-2026-56324

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:45:04Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling