End-to-End Encryption Bypass in Capacitor-Updater by Cap-go
CVE-2026-56254

8.3HIGH

Key Information:

Vendor
CVE Published:
10 July 2026

What is CVE-2026-56254?

The capacitor-updater by Cap-go prior to version 12.128.2 contains a critical flaw in its end-to-end encryption scheme, where the private key used for encryption is distributed to devices that download the app. This design allows an attacker to derive the public key from the private key, leading to potential exploitation through man-in-the-middle attacks or server compromise. An attacker can forge an update bundle that appears legitimately signed, enabling the installation of unauthorized updates on user devices. This vulnerability compromises the integrity of the app and could lead to severe security breaches.

Affected Version(s)

capacitor-updater 0 < 12.128.2

capacitor-updater 12.128.2

References

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.