CVE Catalog

CVE-2026-56219

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile — higher than 26% of all known CVEs

Summary

A vulnerability in Capgo before version 12.128.2 allows unauthenticated attackers to bypass authorization in the public.get_org_user_access_rbac function. By exploiting improper NULL comparison in the authorization gate, attackers can disclose RBAC role bindings and member email addresses using only a public API key.

Risk Assessment

The risk involves unauthorized access to sensitive organizational data such as role structures and email addresses, which could lead to further social engineering attacks or privilege escalation.

Recommendation

Immediately upgrade Capgo to version 12.128.2 or later, which includes a fix for this vulnerability. Additionally, restrict access to public API keys and monitor logs for suspicious queries to the PostgREST RPC endpoint.

Original NVD description (English source)

Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose organization membership, roles, and email addresses via the PostgREST RPC endpoint using only a public API key.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS