PT-2026-57167 · Capacitor Updater · Capacitor-Updater
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-56254
CVSS v3.1
7.0
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L |
In @capgo/capacitor-updater (Cap-go/capgo) before 12.128.2, the end-to-end encryption scheme distributes the private key to each device that downloads the app. Because the public key can be derived from the private key, an attacker performing a man-in-the-middle attack or compromising the Capgo server can create a validly signed update bundle and cause devices to install an update not produced by the original app maker.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Capacitor-Updater