CVE-2026-56329
Deferred Deferred - Pending Action

Capgo Preview Hostname Parsing Collision Vulnerability

Vulnerability report for CVE-2026-56329, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview misrouting and denial of preview access for victim applications.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56329 is a cross-tenant preview namespace collision vulnerability in Capgo versions before 12.128.2. It occurs because the system decodes double underscores (__) in app IDs into dots (.) in a way that is not reversible (non-bijective). This means that app IDs using underscores can collide with other tenants' app IDs that use dots, causing both to resolve to the same preview hostname.

As a result, an attacker can register an app ID with underscores that conflicts with another tenant's dotted app ID, leading to preview misrouting or denial of preview access for the victim's application. This compromises the integrity of the preview namespace and enables cross-tenant shadowing, although it does not allow arbitrary code execution or full content takeover.

Impact Analysis

This vulnerability can impact you by causing preview misrouting and denial of preview access for your applications hosted on Capgo. Attackers can exploit the namespace collision to occupy your preview namespace, effectively blocking or interfering with your ability to preview your app.

While it does not allow attackers to execute arbitrary code or take over your content fully, it compromises the integrity of your preview environment and can disrupt your development or deployment workflows.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Capgo to version 12.128.2 or later, where the issue has been patched.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves a cross-tenant preview namespace collision caused by non-bijective decoding of double underscores to dots in app IDs within Capgo preview hostname parsing.

To detect this vulnerability on your system, you should check if your Capgo installation is a version before 12.128.2, as the issue was patched in that version.

You can audit your registered app IDs for collisions where app IDs with double underscores (__) might decode to the same preview hostname as app IDs with dots (.). For example, look for app IDs that differ only by underscores versus dots but resolve to the same preview hostname.

Suggested commands might include querying your app ID registry or database for app IDs containing double underscores and comparing them to app IDs with dots to identify potential collisions.

  • Use a command to list app IDs containing double underscores, e.g., `grep '__' app_ids_list.txt`
  • Compare these with app IDs containing dots to find collisions, e.g., `grep '\.' app_ids_list.txt` and then manually or programmatically check for decoded equivalences.
  • Check your Capgo version with a command like `capgo --version` or by inspecting your deployment metadata.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56329. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart