CVE-2026-56219
Received Received - Intake

NULL-auth Bypass in Capgo Exposes RBAC Data

Vulnerability report for CVE-2026-56219, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose organization membership, roles, and email addresses via the PostgREST RPC endpoint using only a public API key.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Capgo versions before 12.128.2 and involves a NULL-auth bypass in the public.get_org_user_access_rbac function.

It allows unauthenticated attackers to retrieve Role-Based Access Control (RBAC) role bindings and member email addresses.

The issue arises from an improper NULL comparison in the authorization gate, which can be exploited via the PostgREST RPC endpoint using only a public API key.

Impact Analysis

An attacker exploiting this vulnerability can disclose sensitive information such as organization membership details, roles assigned to users, and their email addresses without any authentication.

This can lead to unauthorized information disclosure, potentially enabling further targeted attacks like phishing or social engineering.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart