Authorization Bypass in Capgo Product by Vendor Capgo
CVE-2026-56257
7.1HIGH
What is CVE-2026-56257?
The vulnerability in Capgo prior to version 12.128.2 permits unauthorized direct updates to the 'public.apps.owner_org' through PostgREST. This bypasses the intended 'transfer_app()' workflow, resulting in a split-brain ownership scenario. Attackers can modify the ownership of applications directly while leaving the associated 'app_versions.owner_org' unchanged. Consequently, legacy organization keys retain access to version data, while new organizational keys govern the app record, potentially leading to unauthorized access and control discrepancies.
Affected Version(s)
Capgo 0 < 12.128.2
Capgo 12.128.2
