CVE-2026-56323

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.

Vulnerability Details

Published Date

June 22, 2026

Last Modified

June 23, 2026

CWE ID

CWE-200

Source

NVD

Vendor

Capgo

Product

Capgo

External References

https://github.com/Cap-go/capgo/security/advisories/GHSA-469v-6vw5-hxpq
https://www.vulncheck.com/advisories/capgo-unauthenticated-channel-enumeration-and-app-oracle-via-get-channel-self
https://github.com/Cap-go/capgo/security/advisories/GHSA-469v-6vw5-hxpq

CVE-2026-56323

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment