Impact
Capgo versions prior to 12.128.2 allow multiple public channels to coexist for the same application and platform. An unnamed /updates request lacking a defaultChannel inadvertently resolves to a single hidden winner channel. This design lets an authorized application or channel manager create an ambiguous default update state and silently influence which bundle unnamed clients receive, thereby breaking the integrity and predictability of release routing.
Affected Systems
The affected system is Capgo, the server‑facing push‑notification platform, and any instance running a version older than 12.128.2. Installation via GitHub or Docker images before this release are also vulnerable. No specific version ranges are provided beyond the cutoff of 12.128.2.
Risk and Exploitability
The CVSS score of 7.1 classifies this flaw as high severity. Although the EPSS score is not available, the lack of listing in CISA KEV suggests no known widespread exploitation yet. The likely attack vector involves a privileged channel manager who can manipulate channel configuration. As this privilege is typically held by trusted personnel, the risk of compromise lies with insider or stolen credentials. Mitigation requires upgrading to a patched release and tightening channel management.
OpenCVE Enrichment