CVE Catalog

CVE-2026-56320

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile — higher than 13% of all known CVEs

Summary

An authorization flaw in Capgo before version 12.128.2 in the POST /private/create_device endpoint allows an authenticated attacker to create device records for an application using a foreign organization identifier. The lack of validation of the org_id parameter bypasses the intended org/app authorization boundary.

Risk Assessment

The organization is at risk of unauthorized device assignment to applications, potentially leading to data integrity breaches, privilege escalation, or improper access management.

Recommendation

Immediately upgrade Capgo to version 12.128.2 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization identifier, bypassing the intended org/app authorization boundary.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS