PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56325 Capgo CVE debrief

CVE-2026-56325 is a low-severity vulnerability in Capgo before 12.128.2. The issue arises from the use of ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver. This allows attackers to create apps with app_ids differing by one character at underscore positions, potentially causing unintended pattern matches. This could break preview functionality for legitimate apps or lead to app-id confusion. The CVSS score for this vulnerability is 2.3, indicating a low severity. Defenders should assess their exposure and prioritize patching or mitigating this vulnerability.

Vendor
Capgo
Product
Unknown
CVSS
LOW 2.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-20
Original CVE updated
2026-06-22
Advisory published
2026-06-20
Advisory updated
2026-06-22

Who should care

Organizations using Capgo versions before 12.128.2 should be aware of this vulnerability and take steps to mitigate or patch it. The impact is relatively low, but the potential for app-id confusion and disruption of preview functionality exists. Defenders should review their Capgo installations and ensure they are running a patched version.

Technical summary

The vulnerability in Capgo before 12.128.2 stems from the use of ILIKE pattern matching for app_id lookup in the preview subdomain resolver. ILIKE is a SQL operator that performs a case-insensitive LIKE operation, allowing underscore characters in app_id to act as SQL wildcards. An attacker could create apps with app_ids that differ by one character at underscore positions to cause unintended pattern matches. This could lead to two issues: breaking the preview functionality for legitimate apps or causing app-id confusion. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, with a score of 2.3, indicating low severity.

Defensive priority

Low severity, but prioritize patching or mitigating due to potential app-id confusion and preview functionality disruption.

Recommended defensive actions

  • Inventory Capgo installations to identify potentially affected versions.
  • Review official advisories from Capgo for patching guidance.
  • Apply the patched version (12.128.2 or later) to mitigate the vulnerability.
  • Monitor for unusual app_id activity or preview subdomain resolver issues.
  • Consider implementing compensating controls, such as stricter app_id validation.

Evidence notes

The primary evidence for this vulnerability comes from the CVE-2026-56325 record and references provided by Vulncheck. The affected product is Capgo, with versions before 12.128.2 being vulnerable. The evidence suggests that the ILIKE pattern matching allows underscore characters in app_id to act as SQL wildcards, leading to potential app-id confusion. Defenders should verify this information with official sources, such as the Capgo security advisories (GHSA-cw88-ch2j-8vqj) and Vulncheck's advisory on the issue.

Official resources

This article is AI-assisted and based on the supplied source corpus.