CVE-2026-56293
Deferred Deferred - Pending Action

Authorization Bypass in Capgo Transfer App Function

Vulnerability report for CVE-2026-56293, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains an authorization flaw in transfer_app() that fails to update deploy_history.owner_org when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause the destination organization to lose access to transferred application deployment records.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56293 is a medium-severity vulnerability in Capgo versions before 12.128.2 caused by an authorization flaw in the transfer_app() function.

When transferring applications between organizations, the function updates ownership in several tables but fails to update the deploy_history.owner_org field.

Because deploy_history.owner_org is not updated, the source organization retains unauthorized access to deployment history records, and the destination organization may lose access to those records.

This flaw leads to stale cross-organization deployment history authorization and breaks expected authorization boundaries.

Impact Analysis

This vulnerability can impact you by allowing unauthorized access to deployment history records in the source organization after an application transfer.

It can also cause the destination organization to lose access to important deployment history records, affecting visibility and auditability of deployment progression.

This results in broken authorization boundaries between organizations, potentially exposing sensitive deployment data to unauthorized parties and impairing operational transparency.

Detection Guidance

This vulnerability involves the failure to update the deploy_history.owner_org field during application transfers between organizations in Capgo. Detection would require inspecting the deploy_history table to identify records where the owner_org does not match the current organization ownership of the transferred application.

A possible approach is to query the database to find discrepancies between the deploy_history.owner_org field and the current app ownership in related tables such as public.apps.

  • Example SQL command to detect stale deploy_history ownership records:
  • SELECT dh.* FROM deploy_history dh JOIN public.apps a ON dh.app_id = a.id WHERE dh.owner_org != a.owner_org;

This query identifies deployment history entries whose owner_org does not match the current owner_org of the app, indicating potential stale or unauthorized access due to the vulnerability.

Mitigation Strategies

The immediate mitigation step is to update the Capgo application to version 12.128.2 or later, where the transfer_app() function has been fixed to properly update the deploy_history.owner_org field during application transfers.

If updating is not immediately possible, a temporary workaround is to manually update the deploy_history.owner_org field in the database after transferring applications to ensure ownership consistency.

  • Run an SQL update statement to synchronize deploy_history.owner_org with the current app owner_org, for example:
  • UPDATE deploy_history dh SET owner_org = a.owner_org FROM public.apps a WHERE dh.app_id = a.id AND dh.owner_org != a.owner_org;

This ensures that deployment history ownership is correctly assigned, preventing unauthorized access or loss of access to deployment records.

Compliance Impact

The vulnerability in Capgo allows unauthorized access to deployment history records across organizational boundaries due to improper authorization in the transfer_app() function. This cross-organization data access and loss of proper access control can undermine data integrity and confidentiality.

Such issues can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls, data integrity, and auditability to protect sensitive information and ensure accountability.

Specifically, the flaw may break auditability of deployment progression and violate organizational boundary authorization expectations, which are critical for regulatory compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56293. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart