CVE-2026-56328
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-56328, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description

Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Capgo versions before 12.128.2 and involves the handling of multiple public channels for the same app and platform. Specifically, unnamed /updates requests that do not specify a defaultChannel implicitly resolve to a single hidden 'winner' channel. This allows an authorized app or channel manager to create an ambiguous default update state and silently influence which update bundle unnamed clients receive.

As a result, the integrity and predictability of release routing are broken, meaning that clients may receive unexpected or unintended update bundles.

Impact Analysis

The vulnerability can impact users by breaking the integrity and predictability of software update delivery. Since an authorized app or channel manager can influence which update bundles unnamed clients receive without their knowledge, this could lead to clients receiving unintended or potentially harmful updates.

This could result in inconsistent application behavior, potential security risks if malicious or incorrect updates are delivered, and a loss of trust in the update mechanism.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56328. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart