ГлавнаяУязвимости → CVE-2026-56323
7.5высокая

CVE-2026-56323

Описание

Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app_id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.

CVSS
Балл7.5 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Источники
https://github.com/Cap-go/capgo/security/advisories/GHSA-469v-6vw5-hxpqhttps://www.vulncheck.com/advisories/capgo-unauthenticated-channel-enumeration-and-app-oracle-via-get-channel-selfhttps://github.com/Cap-go/capgo/security/advisories/GHSA-469v-6vw5-hxpq