CVE-2026-56241
Received Received - Intake

Privilege Escalation in Capgo via Stale Super_Admin Role

Vulnerability report for CVE-2026-56241, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains a privilege escalation vulnerability where demoted super_admin users retain access to delete_non_compliant_bundles and count_non_compliant_bundles RPCs due to stale org_users.user_right column not being cleared during role binding deletion. Attackers can exploit this by maintaining a previously granted super_admin role to enumerate and bulk delete non-compliant bundles across the entire organization indefinitely.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows demoted super_admin users to retain elevated privileges, enabling them to enumerate and bulk delete non-compliant bundles across the entire organization indefinitely.

Such unauthorized access and deletion of non-compliant bundles could lead to violations of compliance requirements under standards like GDPR and HIPAA, which mandate strict controls over data access, integrity, and auditability.

By allowing attackers to manipulate or delete compliance-related data, the vulnerability undermines organizational efforts to maintain regulatory compliance and could result in data breaches or loss of critical audit trails.

Executive Summary

CVE-2026-56241 is a privilege escalation vulnerability in Capgo versions before 12.128.2. When a super_admin user is demoted, the system fails to clear their elevated permissions due to stale data in the org_users.user_right column. This means that even after demotion, the user retains access to certain privileged RPC functions, specifically delete_non_compliant_bundles and count_non_compliant_bundles.

The root cause is that the role binding deletion process does not update the legacy org_users.user_right column, and the RPC authorization checks rely on this stale data instead of the proper permission checking function. As a result, demoted users can still enumerate and bulk delete non-compliant bundles across the entire organization indefinitely.

Impact Analysis

This vulnerability allows attackers who were previously super_admins but have been demoted to retain elevated privileges. They can exploit this to enumerate and bulk delete non-compliant bundles across the entire organization indefinitely.

Such unauthorized actions can disrupt organizational operations, including potentially interfering with over-the-air (OTA) updates for affected devices, leading to operational instability and data integrity issues.

Detection Guidance

This vulnerability involves demoted super_admin users retaining access to privileged RPCs due to stale org_users.user_right entries. Detection would involve checking if any users who have been demoted from super_admin still have access to the delete_non_compliant_bundles and count_non_compliant_bundles RPCs.

You can audit user roles and permissions by querying the org_users table to identify if the user_right column still reflects super_admin privileges for users who should have been demoted.

Additionally, monitoring RPC calls to delete_non_compliant_bundles and count_non_compliant_bundles for unauthorized access attempts can help detect exploitation.

  • Query the org_users table to find users with stale super_admin rights, e.g., SELECT user_id, user_right FROM org_users WHERE user_right = 'super_admin';
  • Check role bindings and compare with org_users.user_right to find inconsistencies.
  • Monitor logs or audit RPC calls to delete_non_compliant_bundles and count_non_compliant_bundles for unexpected usage.
Mitigation Strategies

Immediate mitigation involves manually correcting the stale org_users.user_right entries for demoted super_admin users to revoke their elevated permissions.

Alternatively, deleting affected user accounts can remove the retained privileges.

Applying the official fix that updates the RPC authorization checks to use rbac_check_permission_direct() and modifies the role_bindings.ts DELETE handler to clear or downgrade the org_users.user_right column is necessary for a permanent resolution.

  • Manually audit and update org_users.user_right to remove super_admin rights from demoted users.
  • Temporarily disable or restrict access to delete_non_compliant_bundles and count_non_compliant_bundles RPCs until the fix is applied.
  • Apply the patch or upgrade Capgo to version 12.128.2 or later where the vulnerability is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart