Impact
This vulnerability is an authorization flaw that lets an attacker with valid API credentials create a device record for any application by sending a foreign org_id in a POST request to /private/create_device. The flaw results from a lack of server‑side validation of the org_id field, enabling clients to bypass the intended organization‑application boundary. The consequence is unauthorized device registration, which can compromise data integrity, confidentiality, or service availability. The weakness is identified as CWE‑285.
Affected Systems
Capgo, all versions prior to 12.128.2. The first release correcting the issue is 12.128.2, so any earlier releases are vulnerable to this organization mismatch flaw.
Risk and Exploitability
The CVSS score of 7.1 denotes a medium‑severity risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of exploitation is unclear. The attack requires authenticated access; an attacker only needs an authorized token to submit a POST request with a foreign org_id. The vector is the private device creation endpoint, and no special privileges beyond valid credentials are required. While the vulnerability does not immediately trigger remote code execution, it permits unauthorized device provisioning, which can be leveraged for broader attacks on the application environment.
OpenCVE Enrichment