CVE-2026-56222
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Capgo | Capgo | 0 < 12.128.2 | affected |
| Capgo | Capgo | 12.128.2 | unaffected |
Weaknesses
- CWE-639: Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://github.com/Cap-go/capgo/security/advisories/GHSA-5r52-m8r9-7f8x
- https://www.vulncheck.com/advisories/capgo-cross-organization-app-takeover-via-mismatched-org-id-and-app-id-in-private-role-bindings
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.