CVE-2026-56328 HIGH

CVE-2026-56328: Capgo - Integrity Issue in Release Routing via Multiple Public Channels

Vendor Capgo
Product Capgo
Weakness CWE-670
Published June 30, 2026
Last update July 1, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
July 1, 2026 Record updated