CVE-2026-56222

Summary

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.

Affected Software

VendorProductVersion RangeStatus
CapgoCapgo0 < 12.128.2affected
CapgoCapgo12.128.2unaffected

Weaknesses

  • CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References