CVE-2026-56337

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.exist app v2 RPC function that allows unauthenticated attackers to enumerate app ids by calling POST /rest/v1/rpc/exist app v2 with arbitrary appid parameters. Remote attackers can exploit this SECURITY DEFINER function to determine whether specific app ids exist in the public.apps table, enabling cross-tenant app enumeration and privacy violations.