CVE-2026-56333
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
A vulnerability in Capgo before version 12.128.2 allows server-side validation bypass in organization security settings. Authenticated org admins can persist invalid security policy state by directly updating the public.orgs table from the browser.
Risk Assessment
Attackers can configure unsafe parameters like max API key expiration days, weakening security policies and potentially leading to unauthorized access.
Recommendation
Immediately update Capgo to version 12.128.2 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser, circumventing field-level validation checks for max_apikey_expiration_days and other security-sensitive configuration parameters.

