Skip to main content

Capgo EUVDEUVD-2026-42249

| CVE-2026-56246 HIGH
Improper Authorization (CWE-285)
2026-07-08 disclosure@vulncheck.com GHSA-46rc-2xqj-534f
7.2
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network API reachable with a valid low-privilege API key (PR:L) and no interaction; destructive DELETE actions give high integrity and availability impact but no data disclosure (C:N), scope unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 15:01 EUVD
Analysis Generated
Jul 08, 2026 - 14:44 vuln.today

DescriptionCVE.org

Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key (limited_to_orgs) inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mode API key restricted to one organization, that key can still perform destructive operations (e.g., DELETE /organization, DELETE /organization/members) against another organization. The root cause is route-level authorization (rbac_check_permission_direct) that evaluates the key owner's user privileges before enforcing the API key's limited_to_orgs scope.

AnalysisAI

Cross-organization authorization bypass in Capgo before 12.128.2 lets a scoped API key (limited_to_orgs) inherit its owner's full user permissions, so an admin holding a write key restricted to one organization can execute destructive operations against a different organization. Because route-level authorization (rbac_check_permission_direct) checks the owner's user privileges before enforcing the key's org scope, a key intended to be confined to Org A can call DELETE /organization or DELETE /organization/members on Org B. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain write-scoped API key from multi-org admin
Delivery
Identify second org where owner is admin
Exploit
Call DELETE /organization or /organization/members on that org
Execution
RBAC checks owner privileges, ignores key scope
Impact
Destroy organization or remove members

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid write-mode Capgo API key whose owner-user holds admin privileges in at least two organizations, and the key must be nominally scoped via limited_to_orgs to one organization while the attack targets a different organization in which the owner is also admin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:N/VI:H/VA:H, base 7.2 High) is internally consistent with the description: network-reachable API, low complexity, requires low-privilege authentication (a valid API key), no user interaction, and high integrity/availability impact with no confidentiality exposure - matching destructive DELETE actions rather than data theft. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user who is an admin in both Organization A and Organization B creates a write-mode API key restricted to Organization A, intending to hand it to a CI pipeline or third party. Because the scoped key inherits the owner's cross-org admin rights, that key (or whoever holds it) can send an authenticated DELETE /organization or DELETE /organization/members request targeting Organization B and destroy that org or remove its members. …
Remediation Vendor-released patch: upgrade to Capgo 12.128.2 or later, which enforces the API key's limited_to_orgs scope in the authorization path rather than deferring solely to the owner's user privileges. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Capgo API keys; immediately rotate or revoke scoped API keys (limited_to_orgs parameter) with administrative privileges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42249 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy