Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible with low privileges required since attacker must be authenticated; confidentiality and integrity impact limited to deployment history records with no availability or scope-change effect.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Capgo before 12.128.2 contains an authorization flaw in transfer_app() that fails to update deploy_history.owner_org when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause the destination organization to lose access to transferred application deployment records.
AnalysisAI
Incomplete state management in Capgo's transfer_app() function allows low-privileged authenticated users to retain or cause loss of access to deployment history records across organizations. Specifically, the function fails to update the deploy_history.owner_org field during inter-organization application transfers in all versions before 12.128.2, creating a persistent stale authorization grant. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Capgo account with at least low-level privileges (PR:L per the CVSS 4.0 vector) in an instance configured with multiple organizations where the transfer_app() function is available and used. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N) characterizes this as a network-accessible, low-complexity flaw requiring low-privilege authentication with limited confidentiality and integrity impact confined to the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privilege user within a multi-organization Capgo instance initiates a cross-organization application transfer. After the transfer completes, because deploy_history.owner_org is not updated, the attacker retains access to deployment history records in the source organization - reading deployment timelines, version metadata, and release configurations - or prevents the destination organization from accessing those records through the now-inconsistent ownership field. … |
| Remediation | Upgrade Capgo to version 12.128.2 or later, which resolves the incomplete deploy_history.owner_org update in transfer_app(). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42254
GHSA-9ph8-2cv6-679j