Description
Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.
Published: 2026-06-30
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo versions prior to 12.128.2 allow multiple public channels to coexist for the same application and platform. An unnamed /updates request lacking a defaultChannel inadvertently resolves to a single hidden winner channel. This design lets an authorized application or channel manager create an ambiguous default update state and silently influence which bundle unnamed clients receive, thereby breaking the integrity and predictability of release routing.

Affected Systems

The affected system is Capgo, the server‑facing push‑notification platform, and any instance running a version older than 12.128.2. Installation via GitHub or Docker images before this release are also vulnerable. No specific version ranges are provided beyond the cutoff of 12.128.2.

Risk and Exploitability

The CVSS score of 7.1 classifies this flaw as high severity. Although the EPSS score is not available, the lack of listing in CISA KEV suggests no known widespread exploitation yet. The likely attack vector involves a privileged channel manager who can manipulate channel configuration. As this privilege is typically held by trusted personnel, the risk of compromise lies with insider or stolen credentials. Mitigation requires upgrading to a patched release and tightening channel management.

Generated by OpenCVE AI on June 30, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or newer to eliminate the ability to create multiple public channels for the same app and platform.
  • Verify configuration to enforce a single default channel for each app and platform, ensuring that unnamed /updates requests resolve deterministically.
  • Restrict channel creation and management privileges to trusted personnel and audit channel manager accounts for misuse.

Generated by OpenCVE AI on June 30, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.
Title Capgo - Integrity Issue in Release Routing via Multiple Public Channels
Weaknesses CWE-670
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:32.000Z

Reserved: 2026-06-20T13:06:29.994Z

Link: CVE-2026-56328

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses
  • CWE-670

    Always-Incorrect Control Flow Implementation