CVE-2026-56310
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Cap-go before version 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with such keys can access membership data from organizations outside their assigned scope.
Risk Assessment
This vulnerability may lead to unauthorized access to sensitive membership data, posing a serious threat to data privacy and security.
Recommendation
It is recommended to upgrade to version 12.128.2 or later to mitigate this vulnerability and review the API key management policy to restrict access to organization data.
Original NVD description (English source)
Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with org-limited API keys can read membership data including uid, email, image_url, role, and is_tmp from organizations outside their assigned scope.

