Home

Description

Capgo before 12.128.2 contains an authorization flaw in transfer_app() that fails to update deploy_history.owner_org when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause the destination organization to lose access to transferred application deployment records.

PUBLISHED Reserved 2026-06-20 | Published 2026-07-08 | Updated 2026-07-08 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

Improper Authorization

Product status

Default status
unaffected

Any version before 12.128.2
affected

12.128.2 (semver)
unaffected

Credits

Judel777 reporter

References

github.com/.../capgo/security/advisories/GHSA-854w-xj7g-prv3 exploit

github.com/.../capgo/security/advisories/GHSA-854w-xj7g-prv3 (GitHub Security Advisory (GHSA-854w-xj7g-prv3)) vendor-advisory

www.vulncheck.com/...e-deploy-history-update-in-transfer-app (VulnCheck Advisory: Capgo - Stale Cross-Organization Authorization via Incomplete deploy_history Update in transfer_app()) third-party-advisory

cve.org (CVE-2026-56293)

nvd.nist.gov (CVE-2026-56293)

Download JSON