PT-2026-57167 · Capacitor Updater · Capacitor-Updater

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-56254

CVSS v3.1

7.0

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
In @capgo/capacitor-updater (Cap-go/capgo) before 12.128.2, the end-to-end encryption scheme distributes the private key to each device that downloads the app. Because the public key can be derived from the private key, an attacker performing a man-in-the-middle attack or compromising the Capgo server can create a validly signed update bundle and cause devices to install an update not produced by the original app maker.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56254

Affected Products

Capacitor-Updater