Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-56293— Capgo - Stale Cross-Organization Authorization via Incomplete deploy_history Update in transfer_app()

CVSS 5.4 · Medium

Possible ATT&CK Techniques 1AI

T1528 · Steal Application Access Token

Affected Version Matrix 2

VendorProductVersion RangeStatus
CapgoCapgo< 12.128.2affected
12.128.2unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-56293

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Capgo - Stale Cross-Organization Authorization via Incomplete deploy_history Update in transfer_app()
Source: NVD (National Vulnerability Database)
Vulnerability Description
Capgo before 12.128.2 contains an authorization flaw in transfer_app() that fails to update deploy_history.owner_org when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause the destination organization to lose access to transferred application deployment records.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不恰当
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
CapgoCapgo 0 ~ 12.128.2 -

II. Public POCs for CVE-2026-56293

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-56293

登录查看更多情报信息。

Vendor Advisories for CVE-2026-56293 (1)

Other References for CVE-2026-56293 (1)

Same Patch Batch · Capgo · 2026-07-08 · 7 CVEs total

CVE-2026-562468.1 HIGHCapgo - Cross-Organization Authorization Bypass via Scoped API Key Privilege Inheritance
CVE-2026-562507.5 HIGHCapgo - Arbitrary R2 Object Deletion via Mutable r2_path in app_versions
CVE-2026-562206.5 MEDIUMCapgo - Unauthorized Manifest Insertion via Read-Only Org Member
CVE-2026-562835.4 MEDIUMCapgo - HTML Injection Leading to Open Redirection in Organization Settings
CVE-2026-562984.3 MEDIUMCapgo - EXIF Metadata Exposure in App Information Image Upload
CVE-2026-562174.3 MEDIUMCapgo - Encrypted Bundle Policy Bypass via Direct PostgREST Update

IV. Related Vulnerabilities

V. Comments for CVE-2026-56293

No comments yet


Leave a comment