<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>@Capgo/Capacitor-Updater (Cap-Go/Capgo) (Before 12.128.2) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/@capgo/capacitor-updater-cap-go/capgo-before-12.128.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 15:21:10 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/@capgo/capacitor-updater-cap-go/capgo-before-12.128.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>Capacitor Updater Vulnerability Allows Malicious Update Installation via Private Key Distribution</title><link>https://feed.craftedsignal.io/briefs/2026-07-capacitor-updater-key-distro/</link><pubDate>Fri, 10 Jul 2026 15:21:10 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-capacitor-updater-key-distro/</guid><description>A vulnerability, CVE-2026-56254, in @capgo/capacitor-updater (Cap-go/capgo) before version 12.128.2 allows an attacker to create and distribute validly signed malicious application updates by leveraging the improper distribution of a private key to each client device, enabling man-in-the-middle or server compromise scenarios.</description><content:encoded><![CDATA[<p>CVE-2026-56254 impacts the <code>@capgo/capacitor-updater</code> component in Cap-go/capgo, versions prior to 12.128.2. This vulnerability stems from a flaw in the end-to-end encryption scheme where the private key used for signing updates is distributed to every device that downloads the application. Since the public key can be derived from this private key, an attacker who can perform a man-in-the-middle attack or compromise the Capgo server can sign and distribute their own malicious update bundles. This allows them to bypass the legitimate update mechanism and cause devices to install unauthorized software, granting them control over the affected applications and potentially the underlying devices. The primary concern for defenders is the integrity of application updates, as compromised updates can lead to further system compromise, data exfiltration, or persistence.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker performs reconnaissance to identify applications using <code>@capgo/capacitor-updater</code> with versions before 12.128.2.</li>
<li>The attacker either compromises the Capgo server hosting legitimate application updates or positions themselves to execute a man-in-the-middle (MiTM) attack against a target device.</li>
<li>The attacker intercepts or accesses the private key, which is improperly distributed to client devices as part of the application's functionality.</li>
<li>Using the compromised private key, the attacker crafts a malicious update bundle containing arbitrary code or a backdoored version of the application.</li>
<li>The attacker signs the malicious update bundle using the unlawfully obtained private key, making it appear legitimate to vulnerable client applications.</li>
<li>During an update check, the attacker delivers the validly signed malicious update bundle to the target device, either through the compromised Capgo server or via a MiTM interception.</li>
<li>The client application, unable to distinguish the malicious update from a genuine one due to the valid signature, downloads and installs the unauthorized update.</li>
<li>The malicious update executes, achieving the attacker's objective, such as arbitrary code execution, data exfiltration, or persistent access on the compromised device.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-56254 enables an attacker to deliver unauthorized and potentially malicious updates to applications utilizing <code>@capgo/capacitor-updater</code>. This bypasses the intended security mechanisms for application integrity and supply chain trust. The direct consequences can range from denial of service if updates are corrupted, to full compromise of the application or the underlying device if the malicious update contains harmful code. This could lead to sensitive data exposure, unauthorized access to user accounts, or the installation of additional malware. The scope of impact is potentially wide, affecting all users of applications built with vulnerable versions of <code>@capgo/capacitor-updater</code>.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-56254 immediately by updating <code>@capgo/capacitor-updater</code> to version 12.128.2 or later as indicated in the GitHub advisory linked in the references.</li>
<li>Review application build and deployment processes to ensure that private keys are managed securely and not distributed to client-side components.</li>
<li>Implement robust network monitoring for unusual traffic patterns to and from application update servers to detect potential man-in-the-middle activity.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>supply-chain</category><category>vulnerability</category><category>code-signing</category><category>software-update</category></item></channel></rss>