CVE-2026-56314
Deferred Deferred - Pending Action

Capgo Missing Filter in Channel Version Joins Allows Deleted Bundle Deployment

Vulnerability report for CVE-2026-56314, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: VulnCheck

Description

Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to remain selectable. Attackers can continue deploying deleted bundles to devices by exploiting the missing app_versions.deleted filter in channel version joins.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.12 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in Capgo versions before 12.128.12. The issue is that the software fails to filter out deleted app versions when joining channels during the /updates resolution process. Because of this, deleted bundles remain selectable, allowing attackers to deploy these deleted bundles to devices by exploiting the missing filter on deleted app versions.

Impact Analysis

The vulnerability can impact you by allowing attackers to deploy deleted app bundles to your devices. This could lead to unauthorized or unintended software being installed, potentially causing security risks or operational issues.

Detection Guidance

This vulnerability involves deleted app versions remaining selectable during /updates endpoint resolution due to missing filtering. Detection would involve monitoring requests to the /updates endpoint and inspecting if deleted bundles (marked with app_versions.deleted = true) are still being returned or deployed.

Commands or methods to detect this could include querying the /updates endpoint and analyzing the response for bundles that should have been deleted but are still present.

For example, using curl or similar HTTP clients to request updates and then filtering the response for deleted bundles might help identify the issue.

  • curl -X GET https://<capgo-server>/updates -H 'Authorization: Bearer <token>'
  • Inspect the JSON response for any app_versions where the deleted flag is true but the bundle is still included.
Mitigation Strategies

Immediate mitigation involves upgrading Capgo to version 12.128.12 or later, where the filtering of deleted app versions during channel joins in the /updates endpoint is properly implemented.

Until an upgrade is possible, consider manually verifying and removing references to deleted bundles from channels to prevent devices from receiving deleted versions.

Additionally, monitor update deployments closely to detect any unintended delivery of deleted bundles and restrict access to the /updates endpoint if feasible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56314. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart