CVE-2026-56247
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
A vulnerability in Capgo before version 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.
Risk Assessment
The risk involves potential privilege escalation by low-privilege users, leading to unauthorized access to sensitive application functions and compromise of system integrity.
Recommendation
It is recommended to immediately upgrade Capgo to version 12.128.2 or later, which includes a fix that validates RBAC role scope compatibility.
Original NVD description (English source)
Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.

