Loading market data...
← Back to CVE feed

CVE-2026-56222

HIGH CVSS 7.2 View on NVD ↗

Description

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Published: Jun 23, 2026 13:16 UTC Modified: Jun 23, 2026 14:52 UTC