Executive Summary

This vulnerability in Capgo (before version 12.128.2) allows an attacker to bypass the intended app ownership transfer process by directly updating the public.apps.owner_org field through PostgREST.

Normally, ownership transfer should go through the transfer_app() workflow, which ensures consistent updates across related data. However, this flaw lets attackers change the app-level ownership to a new organization while leaving the app_versions.owner_org field unchanged, resulting in a split-brain ownership state.

This means the new organization controls the app record, but the old organization still retains access to version-layer data, violating the expected single-owner rule and enabling unauthorized access to sensitive metadata.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized access and inconsistent ownership of app data.

• Attackers can bypass authorization controls to manipulate app ownership.
• Old organization keys retain access to version data even after ownership transfer.
• New organization controls the app record but cannot fully restrict access from the previous owner.
• This split-brain ownership can cause security risks, data leakage, and potential misuse of sensitive metadata.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for inconsistencies between the ownership fields in the Capgo database, specifically between public.apps.owner_org and app_versions.owner_org.

A key indicator is the presence of a split-brain ownership state where the app record's owner_org differs from the app_versions.owner_org, which normally should be consistent.

You can query the database to identify such discrepancies. For example, using SQL commands to find apps where the owner_org in the apps table does not match the owner_org in the app_versions table.

• SELECT app_id, owner_org FROM public.apps WHERE owner_org NOT IN (SELECT DISTINCT owner_org FROM public.app_versions WHERE app_versions.app_id = public.apps.app_id);

Additionally, monitoring for empty or missing transfer history records can help detect bypass attempts of the transfer_app() workflow.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Capgo to version 12.128.2 or later, where this vulnerability has been patched.

Until the upgrade can be applied, restrict access to the PostgREST interface to trusted users only, as the vulnerability exploits direct updates via PostgREST.

Review and audit app ownership records to identify and correct any split-brain ownership states by ensuring that the owner_org fields in both apps and app_versions tables are consistent.

Implement stricter access controls and monitoring to detect unauthorized direct updates to ownership fields.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Capgo allows unauthorized access to sensitive metadata by creating a split-brain ownership scenario where old organization keys retain access to version data while new organization keys control the app record. This improper access control and authorization bypass could lead to unauthorized data exposure or access, which may conflict with compliance requirements in standards like GDPR or HIPAA that mandate strict access controls and data protection.

Specifically, the flaw violates the expected single-owner invariant for an app and enables residual cross-organization access, potentially resulting in unauthorized access to personal or sensitive data. Such unauthorized access could be considered a breach under regulations requiring data confidentiality and integrity.

Useful 0 Not Useful 0