Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.create_channel permission can exploit a logic mismatch between existence validation and upsert operations to reassign channel ownership and modify critical production channel configurations.
Metrics
Affected Vendors & Products
References
History
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.create_channel permission can exploit a logic mismatch between existence validation and upsert operations to reassign channel ownership and modify critical production channel configurations. | |
| Title | Capgo - Unauthorized Channel Overwrite and Ownership Takeover via POST /channel Name Collision | |
| Weaknesses | CWE-285 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-30T22:08:25.919Z
Reserved: 2026-06-19T21:53:16.001Z
Link: CVE-2026-56249
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-30T23:30:04Z