CVE-2026-56323

Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.

References

• https://github.com/Cap-go/capgo/security/advisories/GHSA-469v-6vw5-hxpq
• https://www.vulncheck.com/advisories/capgo-unauthenticated-channel-enumeration-and-app-oracle-via-get-channel-self