CVE-2026-56257
Published
CVSS v3
7.1
HIGH
CVSS v2
N/A
Affected
1
PROJECT
Description
Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving app_versions.owner_org unchanged, enabling old-org keys to retain access to version data while new-org keys control the app record.
Console, Backend and CLI to manage Capgo Instant update and Native build for Capacitor apps
GitHub