Capgo before 12.128.2 allows direct patching of public.apps.ownerorg through PostgREST, bypassing the transferapp() workflow and creating split-brain ownership. Attackers can directly update apps.ownerorg while leaving appversions.owner_org unchanged, enabling old-org keys to retain access to version data while new-org keys control the app record.
{
"cna_assigner": "VulnCheck",
"cwe_ids": [
"CWE-284"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56257.json"
}