CVE-2026-56324
HIGHCapgo - Rate Limit Bypass via User-Controlled device_id Parameter
Title source: cnaDescription
Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channel_self endpoint that allows attackers to circumvent rate limiting by rotating the user-controlled device_id parameter. Attackers can send multiple requests per second by changing device_id values to flood the channel_devices table and cause database exhaustion.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-77p2-9rcr-5w27)
https://github.com/Cap-go/capgo/security/advisories/GHSA-77p2-9rcr-5w27
Third Party Advisory third-party-advisory
VulnCheck Advisory: Capgo - Rate Limit Bypass via User-Controlled device_id Parameter
https://www.vulncheck.com/advisories/capgo-rate-limit-bypass-via-user-controlled-device-id-parameter
Scores
CVSS v3
8.2
EPSS
0.0027
EPSS Percentile
18.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
Capgo/Capgo
< 12.128.2
Capgo/Capgo
12.128.2
Published
Jun 22, 2026
Tracked Since
Jun 23, 2026