CVE-2026-56325
Received Received - Intake
Capgo Preview Subdomain Resolver ILIKE Wildcard Bypass

Publication date: 2026-06-20

Last updated on: 2026-06-20

Assigner: VulnCheck

Description
Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to act as SQL wildcards. Attackers can create apps with app_ids differing by one character at underscore positions to cause unintended pattern matches, breaking preview functionality for legitimate apps or causing app-id confusion.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-20
Last Modified
2026-06-20
Generated
2026-06-20
AI Q&A
2026-06-20
EPSS Evaluated
N/A
NVD
CVE-2026-56325
EUVD
EUVD-2026-38113
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56325 affects Capgo versions before 12.128.2 and involves the preview subdomain resolver using a Postgres ILIKE pattern match instead of an exact match for app_id lookup.

Because underscores (_) in app_id values act as single-character wildcards in SQL ILIKE queries, app_ids containing underscores can unintentionally match multiple different app_ids.

Attackers can exploit this by creating apps with app_ids differing by one character at underscore positions, causing unintended pattern matches that break preview functionality or cause app-id confusion.

Impact Analysis

This vulnerability can cause the preview feature for legitimate apps to fail, returning errors like "app_not_found" even when the app exists and preview is enabled.

It can also lead to app-id confusion, where one app's preview request unintentionally matches another app's data, potentially disrupting normal operations.

Overall, the impact includes broken functionality and denial of service for affected apps.

Detection Guidance

This vulnerability involves the use of ILIKE pattern matching in the preview subdomain resolver for app_id lookups, which can cause unintended matches when app_ids contain underscore characters.

To detect this vulnerability on your system, you can check the version of the Capgo package installed and verify if it is prior to 12.128.2.

Additionally, you can monitor for preview endpoint errors such as "app_not_found" responses despite the app existing and preview being enabled, which may indicate the issue.

There are no specific commands provided in the resources, but general commands to check the installed package version include:

  • npm list capgo
  • npm ls capgo

To detect unusual app_id conflicts or preview failures, you may need to review application logs or database queries related to app_id lookups in the preview subdomain resolver.

Mitigation Strategies

The recommended immediate mitigation is to upgrade the Capgo package to version 12.128.2 or later, where the issue is fixed by replacing ILIKE pattern matching with exact matching (.eq) or escaping LIKE wildcards.

Alternatively, if upgrading is not immediately possible, you can consider disallowing underscores in app_id values to prevent wildcard matching.

Monitoring and alerting on preview endpoint failures or app_id confusion can also help identify exploitation attempts.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56325. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart