CVE-2026-56247
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-56247, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description

Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Capgo versions before 12.128.2. It allows organization administrators to assign organization-scoped Role-Based Access Control (RBAC) roles at the application scope without checking if the role scope is compatible. This flaw also applies to users who have been invited but have not yet accepted the invitation.

Attackers can exploit this by pre-seeding malformed high-privilege role bindings that remain effective even after the invitee accepts the invitation. As a result, users who should have low privileges can perform unauthorized high-privilege actions within the application.

Impact Analysis

The vulnerability can lead to unauthorized privilege escalation within the application. Users who are supposed to have limited access can gain high-level privileges, allowing them to perform sensitive or administrative actions they are not authorized to do.

This can result in data breaches, unauthorized changes to application settings or data, and potentially compromise the security and integrity of the organization’s systems.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart