CVE Catalog

CVE-2026-56323

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile - higher than 30% of all known CVEs

Summary

Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels.

Risk Assessment

This vulnerability allows remote attackers to gain access to information about applications and subscription status without authentication, potentially leading to privacy breaches and data security issues for the organization.

Recommendation

It is recommended to update Capgo to version 12.128.2 or later to mitigate this vulnerability. Additionally, implementing further security measures to restrict access to sensitive endpoints is advisable.

Original NVD description (English source)

Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS