CVE-2026-56222 PUBLISHED

Capgo - Cross-Organization App Takeover via Mismatched org_id and app_id in /private/role_bindings

Assigner: VulnCheck
Reserved: 19.06.2026 Published: 23.06.2026 Updated: 23.06.2026

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.6

Product Status

Vendor Capgo
Product Capgo
Versions Default: unaffected
  • affected from 0 to 12.128.2 (excl.)
  • Version 12.128.2 is unaffected

Credits

  • zerlyer reporter

References

Problem Types

  • Authorization Bypass Through User-Controlled Key CWE