CVE-2026-56320
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
An authorization flaw in Capgo before version 12.128.2 in the POST /private/create_device endpoint allows an authenticated attacker to create device records for an application using a foreign organization identifier. The lack of validation of the org_id parameter bypasses the intended org/app authorization boundary.
Risk Assessment
The organization is at risk of unauthorized device assignment to applications, potentially leading to data integrity breaches, privilege escalation, or improper access management.
Recommendation
Immediately upgrade Capgo to version 12.128.2 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization identifier, bypassing the intended org/app authorization boundary.

