Authorization Flaw in Capgo Device Management Software
CVE-2026-56320
7.1HIGH
What is CVE-2026-56320?
Capgo versions prior to 12.128.2 are affected by a critical authorization flaw in the device creation endpoint. This vulnerability allows authenticated attackers to exploit a lack of validation on the org_id parameter, which can be supplied by the caller. By not verifying that the org_id matches the owner organization of the application, attackers can potentially create device records that belong to a different organization, compromising the intended authorization constraints between organizations and applications.
Affected Version(s)
Capgo 0 < 12.128.2
Capgo 12.128.2
