CVE-2026-56254
Deferred Deferred - Pending Action

End-to-End Encryption Key Exposure in Capgo Capacitor Updater

Vulnerability report for CVE-2026-56254, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

In @capgo/capacitor-updater (Cap-go/capgo) before 12.128.2, the end-to-end encryption scheme distributes the private key to each device that downloads the app. Because the public key can be derived from the private key, an attacker performing a man-in-the-middle attack or compromising the Capgo server can create a validly signed update bundle and cause devices to install an update not produced by the original app maker.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
capgo capacitor-updater to 12.128.2 (exc)
capgo capacitor_updater to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-320 Key Management Errors

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to create and distribute malicious update bundles by exploiting the improper distribution of private keys, potentially leading to unauthorized software updates on devices.

Such unauthorized updates could compromise the integrity and security of the affected systems, which may result in violations of data protection and security requirements mandated by common standards and regulations like GDPR and HIPAA.

Specifically, the risk of man-in-the-middle attacks or server compromises could lead to unauthorized access or alteration of sensitive data, undermining confidentiality, integrity, and availability controls required by these regulations.

Therefore, organizations using affected versions of the capacitor-updater library might face compliance challenges if this vulnerability is exploited and not remediated.

Impact Analysis

The vulnerability allows attackers to push unauthorized updates to devices by creating validly signed malicious update bundles. This can lead to devices installing software updates that are not from the legitimate app developer, potentially compromising device security and user data. The attack vectors include man-in-the-middle attacks or direct compromise of the Capgo server.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the @capgo/capacitor-updater package to version 12.128.2 or later once it is available.

This update addresses the flaw in the end-to-end encryption mechanism that improperly distributes the private key to each device, preventing attackers from creating malicious update bundles.

Executive Summary

This vulnerability exists in the @capgo/capacitor-updater package before version 12.128.2. The issue is that the private key used in the end-to-end encryption scheme is distributed to every device that downloads the app. Since the public key can be derived from this private key, an attacker who performs a man-in-the-middle attack or compromises the Capgo server can create a malicious update bundle that appears valid. This malicious update can then be installed on devices, even though it was not produced by the original app maker.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart