All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-56328
HIGHpublished 2026-06-30 23:17 UTC · 4 days ago · modified 2026-07-01 16:16 UTC
7.1
CVSS / 10
// description
Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.
// weaknesses (CWE)
- CWE-670