CVE Catalog

CVE-2026-56247

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

A vulnerability in Capgo before version 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.

Risk Assessment

The risk involves potential privilege escalation by low-privilege users, leading to unauthorized access to sensitive application functions and compromise of system integrity.

Recommendation

It is recommended to immediately upgrade Capgo to version 12.128.2 or later, which includes a fix that validates RBAC role scope compatibility.

Original NVD description (English source)

Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS