Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 01 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 09:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Cap-go
Cap-go cap-go |
|
| Vendors & Products |
Cap-go
Cap-go cap-go |
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization identifier, bypassing the intended org/app authorization boundary. | |
| Title | Capgo - Org/App Scope Mismatch in Device Creation Endpoint | |
| Weaknesses | CWE-285 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-01T15:02:29.500Z
Reserved: 2026-06-20T12:59:07.917Z
Link: CVE-2026-56320
Updated: 2026-07-01T15:01:33.560Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T09:15:15Z