CVE-2026-56323

Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel self endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary app id parameters to disclose internal rollout channels, enumerate valid applications across tenants, and leak billing status without authentication or device binding.