๐Ÿ” CVE Alert

CVE-2026-56254

HIGH 7.0

capacitor-updater - End-to-End Encryption Bypass via Private Key Distribution

CVSS Score
7.0
EPSS Score
0.0%
EPSS Percentile
0th

In @capgo/capacitor-updater (Cap-go/capgo) before 12.128.2, the end-to-end encryption scheme distributes the private key to each device that downloads the app. Because the public key can be derived from the private key, an attacker performing a man-in-the-middle attack or compromising the Capgo server can create a validly signed update bundle and cause devices to install an update not produced by the original app maker.

CWE CWE-320
Vendor capacitor-updater
Product capacitor-updater
Published Jul 10, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for capacitor-updater capacitor-updater

Be the first to know when new high vulnerabilities affecting capacitor-updater capacitor-updater are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Affected Versions

capacitor-updater / capacitor-updater
0 < 12.128.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/Cap-go/capgo/security/advisories/GHSA-j2f4-4pfc-p8rx vulncheck.com: https://www.vulncheck.com/advisories/capacitor-updater-end-to-end-encryption-bypass-via-private-key-distribution