Home

Description

Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview misrouting and denial of preview access for victim applications.

PUBLISHED Reserved 2026-06-20 | Published 2026-07-10 | Updated 2026-07-10 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L
MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

Problem types

Interpretation Conflict

Product status

Default status
unaffected

Any version before 12.128.2
affected

12.128.2 (semver)
unaffected

Credits

Judel777 reporter

References

github.com/.../capgo/security/advisories/GHSA-76qq-gg2p-pwwj exploit

github.com/.../capgo/security/advisories/GHSA-76qq-gg2p-pwwj (GitHub Security Advisory (GHSA-76qq-gg2p-pwwj)) vendor-advisory

www.vulncheck.com/...n-via-non-bijective-underscore-decoding (VulnCheck Advisory: Capgo - Cross-Tenant Preview Namespace Collision via Non-Bijective Underscore Decoding) third-party-advisory

cve.org (CVE-2026-56329)

nvd.nist.gov (CVE-2026-56329)

Download JSON