Description
Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization identifier, bypassing the intended org/app authorization boundary.
Published: 2026-06-30
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an authorization flaw that lets an attacker with valid API credentials create a device record for any application by sending a foreign org_id in a POST request to /private/create_device. The flaw results from a lack of server‑side validation of the org_id field, enabling clients to bypass the intended organization‑application boundary. The consequence is unauthorized device registration, which can compromise data integrity, confidentiality, or service availability. The weakness is identified as CWE‑285.

Affected Systems

Capgo, all versions prior to 12.128.2. The first release correcting the issue is 12.128.2, so any earlier releases are vulnerable to this organization mismatch flaw.

Risk and Exploitability

The CVSS score of 7.1 denotes a medium‑severity risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of exploitation is unclear. The attack requires authenticated access; an attacker only needs an authorized token to submit a POST request with a foreign org_id. The vector is the private device creation endpoint, and no special privileges beyond valid credentials are required. While the vulnerability does not immediately trigger remote code execution, it permits unauthorized device provisioning, which can be leveraged for broader attacks on the application environment.

Generated by OpenCVE AI on June 30, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Capgo to version 12.128.2 or later, which adds validation of the org_id parameter against the authenticated user’s organization.
  • If an immediate update is not possible, strip or ignore the org_id field in the device creation request and enforce server‑side ownership checks so that only the requester’s organization can create devices.
  • Review and tighten API key scopes and role‑based access controls to ensure that only trusted accounts can invoke the device creation endpoint.

Generated by OpenCVE AI on June 30, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization identifier, bypassing the intended org/app authorization boundary.
Title Capgo - Org/App Scope Mismatch in Device Creation Endpoint
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T22:08:30.611Z

Reserved: 2026-06-20T12:59:07.917Z

Link: CVE-2026-56320

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T23:30:04Z

Weaknesses