Information Disclosure Vulnerability in Cap-go by Cap-go
CVE-2026-56296

6.9MEDIUM

Key Information:

Vendor

Cap-go

Status
Vendor
CVE Published:
11 July 2026

What is CVE-2026-56296?

Cap-go prior to version 12.128.2 suffers from an information disclosure vulnerability within the public.transfer_app RPC function. This flaw allows unauthenticated attackers to exploit differences in error messages returned for existing versus non-existing app IDs. By manipulating requests using only the publishable API key, attackers can enumerate valid app IDs, which can lead to further targeted attacks. It is essential for users of affected versions to update to the latest version to mitigate potential risks.

Affected Version(s)

capgo 0 < 12.128.2

capgo 12.128.2

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Judel777
.