CVE Catalog

CVE-2026-56257

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving app_versions.owner_org unchanged.

Risk Assessment

This can lead to a situation where old-org keys retain access to version data while new-org keys control the app record, creating a risk of unauthorized access.

Recommendation

It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability and implement additional access control mechanisms.

Original NVD description (English source)

Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving app_versions.owner_org unchanged, enabling old-org keys to retain access to version data while new-org keys control the app record.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS