CVE-2026-56222

HIGH EPSS 27.5%
Published Jun 23, 20261w ago · Modified Jun 24, 20266d ago
8.6 CVSS 4.0
High
Find Similar
Published Jun 23, 2026 1w ago
Last Modified Jun 24, 2026 6d ago

Description

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.

CVSS Details

Base Score
8.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
27.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-639

References 2

  • github.com https://github.com/Cap-go/capgo/security/advisories/GHSA-5r52-m8r9-7f8x
  • vulncheck.com https://www.vulncheck.com/advisories/capgo-cross-organization-app-takeover-via-mismatched-org-id-and-app-id-in-private-role-bindings

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.