All intelligence
// vulnerability record
cached · NVD via COSMOS syncCVE-2026-56320
HIGHpublished 2026-06-30 23:17 UTC · 4 days ago · modified 2026-07-01 16:16 UTC
7.1
CVSS / 10
// description
Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization identifier, bypassing the intended org/app authorization boundary.
// weaknesses (CWE)
- CWE-285