Description
Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to act as SQL wildcards. Attackers can create apps with app_ids differing by one character at underscore positions to cause unintended pattern matches, breaking preview functionality for legitimate apps or causing app-id confusion.
Published: 2026-06-20
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo prior to version 12.128.2 performs a wildcard comparison for the app_id during preview subdomain resolution, treating underscore characters as SQL wildcards. This flaw allows attackers to create application identifiers that differ from a legitimate app only by underscore placement, causing unintended matches. As a result, preview requests for one app can resolve to a different app or fail entirely, breaking preview functionality for users and potentially exposing sensitive data during preview sessions.

Affected Systems

The vulnerability affects the Capgo platform in all releases before 12.128.2. Users running any older Capgo instance are susceptible unless they have otherwise patched or custom‑modified the preview subdomain logic.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity flaw, and the EPSS score is not available, suggesting no known widespread exploitation. Attackers can exploit the issue remotely by creating an app with a crafted identifier that leverages wildcard matching to trigger unintended preview subdomain resolution. The flaw is not listed in the CISA KEV catalog, and no public exploits have been reported, but the functional impact on preview services warrants a patch as soon as possible.

Generated by OpenCVE AI on June 20, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later
  • If an upgrade is not immediately possible, modify the preview subdomain resolver to enforce exact equality comparison for app_id values, ensuring that underscore characters are treated literally
  • Validate all new app identifiers to exclude wildcard characters or enforce stricter naming rules

Generated by OpenCVE AI on June 20, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Cap-go
Cap-go cap-go
Vendors & Products Cap-go
Cap-go cap-go

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 20 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to act as SQL wildcards. Attackers can create apps with app_ids differing by one character at underscore positions to cause unintended pattern matches, breaking preview functionality for legitimate apps or causing app-id confusion.
Title Capgo - App ID Confusion via ILIKE Wildcard in Preview Subdomain Lookup
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T17:28:03.491Z

Reserved: 2026-06-20T13:06:29.994Z

Link: CVE-2026-56325

cve-icon Vulnrichment

Updated: 2026-06-22T17:27:48.478Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:15:07Z

Weaknesses
  • CWE-20

    Improper Input Validation