Capgo before version 12.128.2 allows attackers to directly update the field public.apps.owner_org through the PostgREST API, bypassing the intended transfer_app workflow. This authorization bypass (CWE‑284) creates split‑brain ownership, enabling an attacker to change the app record owner while leaving the corresponding app_versions.owner_org unchanged. The result is that legacy organization keys retain access to version data while the new organization controls the main application metadata, risking data exposure or manipulation.

All installations of Capgo released prior to 12.128.2 are vulnerable. The affected product is the Capgo push‑notification platform, and any deployment that exposes the PostgREST endpoints for app management is at risk. Upgrading to 12.128.2 or later removes the direct update path for the owner_org column, mitigating the issue.

The CVSS score of 7.1 indicates a moderate‑to‑high severity, and the lack of an EPSS score means current exploitation probability is unknown but could be significant due to the simplicity of the attack path. The vulnerability’s exploitation requires authenticated access to the PostgREST service and the ability to issue UPDATE commands on the public.apps table. The most likely attack vector is an attacker with API credentials or application keys that have write permissions; an unrestricted Postgrest endpoint is necessary for the additional update, and the split‑brain effect gives the attacker persistent access to version data even after ownership has formally changed.