Information Disclosure Vulnerability in Capgo by Capgo
CVE-2026-56323

8.7HIGH

Key Information:

Vendor: Capgo
Status: Capgo
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-56323?

An information disclosure vulnerability exists in Capgo prior to version 12.128.2 through the /functions/v1/channel_self endpoint. This flaw allows attackers without authentication to send GET requests with arbitrary app_id parameters, enabling them to enumerate non-public channel names and verify app existence and subscription status. This exposure can lead to the leakage of internal rollout channels and billing status, significantly compromising app privacy and security.

Affected Version(s)

Capgo 0 < 12.128.2

Capgo 12.128.2

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/capgo-unauthenticate...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

Judel777

CVE-2026-56323 Data

JSON