CVE-2026-56257
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving app_versions.owner_org unchanged.
Risk Assessment
This can lead to a situation where old-org keys retain access to version data while new-org keys control the app record, creating a risk of unauthorized access.
Recommendation
It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability and implement additional access control mechanisms.
Original NVD description (English source)
Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving app_versions.owner_org unchanged, enabling old-org keys to retain access to version data while new-org keys control the app record.

