CVE Catalog

CVE-2026-56253

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile - higher than 16% of all known CVEs

Summary

Capgo versions before 12.128.2 contain an improper access control vulnerability in the public.get_org_members RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sb_publishable_* key and an organization UUID to retrieve sensitive member information including email addresses, user IDs, roles, and pending invitations.

Risk Assessment

This vulnerability poses a risk of exposing sensitive member data, which could lead to further attacks or privacy breaches. Organizations may face loss of trust and potential legal consequences.

Recommendation

It is recommended to update Capgo to version 12.128.2 or later to mitigate this vulnerability. Additionally, conducting an API access audit is advisable to minimize the risk of unauthorized access.

Original NVD description (English source)

Capgo before 12.128.2 contains an improper access control vulnerability in the public.get_org_members RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sb_publishable_* key and an organization UUID to retrieve sensitive member information including email addresses, user IDs, roles, and pending invitations.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS