GHSA-v24w-qp6p-4wjw
A vulnerability in @capgo/capacitor-updater before version 12.128.2 allows the private key used in the end-to-end encryption scheme to be distributed to each device that downloads the app. Since the public key can be derived from the private key, an attacker who performs a man-in-the-middle attack or compromises the Capgo server can create a validly signed update bundle. This enables the attacker to cause devices to install malicious updates not produced by the original app maker.
AI Analysis
Technical Summary
The @capgo/capacitor-updater package versions prior to 12.128.2 have a cryptographic design flaw where the private key is distributed to every device downloading the app. Because the public key is derivable from the private key, an attacker with network interception capabilities or server compromise can forge update bundles that appear validly signed. This undermines the integrity of the update mechanism and allows unauthorized code execution through malicious updates.
Potential Impact
An attacker capable of intercepting communications or compromising the Capgo server can produce malicious update bundles that devices will accept as legitimate. This can lead to unauthorized code execution on affected devices by installing updates not created by the original app developer, potentially compromising device security and user data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid using vulnerable versions of @capgo/capacitor-updater or restrict update mechanisms to trusted networks to reduce the risk of man-in-the-middle attacks.
GHSA-v24w-qp6p-4wjw
Description
A vulnerability in @capgo/capacitor-updater before version 12.128.2 allows the private key used in the end-to-end encryption scheme to be distributed to each device that downloads the app. Since the public key can be derived from the private key, an attacker who performs a man-in-the-middle attack or compromises the Capgo server can create a validly signed update bundle. This enables the attacker to cause devices to install malicious updates not produced by the original app maker.
CVSS v4.0
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The @capgo/capacitor-updater package versions prior to 12.128.2 have a cryptographic design flaw where the private key is distributed to every device downloading the app. Because the public key is derivable from the private key, an attacker with network interception capabilities or server compromise can forge update bundles that appear validly signed. This undermines the integrity of the update mechanism and allows unauthorized code execution through malicious updates.
Potential Impact
An attacker capable of intercepting communications or compromising the Capgo server can produce malicious update bundles that devices will accept as legitimate. This can lead to unauthorized code execution on affected devices by installing updates not created by the original app developer, potentially compromising device security and user data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid using vulnerable versions of @capgo/capacitor-updater or restrict update mechanisms to trusted networks to reduce the risk of man-in-the-middle attacks.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-v24w-qp6p-4wjw
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-56254"]
- Ecosystems
- []
- Database Specific Severity
- HIGH
- Cvss Version
- 4.0
Threat ID: 6a520eee68715ace4391d624
Added to database: 07/11/2026, 09:37:50 UTC
Last enriched: 07/11/2026, 10:10:04 UTC
Last updated: 07/12/2026, 03:35:54 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.