Executive Summary

CVE-2026-56253 is an improper access control vulnerability in Capgo versions before 12.128.2. It exists in the public.get_org_members RPC function, which can be called using only a public sb_publishable_* key and an organization UUID. Because the function does not authenticate the caller, unauthenticated attackers can enumerate organization members and retrieve sensitive information such as email addresses, user IDs, roles, and pending invitations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to access personally identifiable information (PII) of organization members without authentication. Attackers can obtain email addresses, user IDs, roles, and pending invitations, which reveals the organizational structure and privileged accounts. This information can be used to facilitate phishing or social engineering attacks, potentially compromising user accounts or organizational security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to invoke the public.get_org_members RPC function using only a public sb_publishable_* key and an organization UUID. If the function returns sensitive member information such as email addresses, user IDs, roles, or pending invitations without authentication, the system is vulnerable.

A practical detection method is to use an HTTP client or API testing tool to call the RPC endpoint with a known organization UUID and a public sb_publishable_* key. For example, using curl:

• curl -X POST https://<capgo-instance>/rest/v1/rpc/public.get_org_members -H "apikey: sb_publishable_<key>" -H "Content-Type: application/json" -d '{"guild_id": "<organization-uuid>"}'

If the response contains member emails, user IDs, roles, or pending invitations without requiring authentication, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Capgo to version 12.128.2 or later, where this improper access control vulnerability in the public.get_org_members RPC function has been patched.

Until the upgrade can be applied, restrict access to the public.get_org_members RPC endpoint by limiting the use of the public sb_publishable_* key and ensuring that organization UUIDs are not publicly exposed.

Additionally, review and tighten access control policies around RPC functions to ensure that sensitive information is not exposed to unauthenticated users.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive personally identifiable information (PII) such as email addresses, user IDs, roles, and pending invitations of organization members. Exposure of such PII can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal data and mandate protection against unauthorized disclosure.

Because the vulnerability stems from improper access control, it undermines the confidentiality and integrity of sensitive data, potentially resulting in non-compliance with standards that require secure handling and restricted access to personal and organizational information.

Useful 0 Not Useful 0