CVE Catalog

CVE-2026-56222

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

27th percentile — higher than 27% of all known CVEs

Summary

Capgo before version 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations.

Risk Assessment

This vulnerability allows unauthorized access to victim applications, potentially leading to unauthorized read and modification of data. This poses a serious threat to data security within the organization.

Recommendation

It is recommended to update Capgo to version 12.128.2 or later to mitigate this vulnerability. Additionally, an audit of administrative privileges within the organization should be conducted.

Original NVD description (English source)

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS