CVE-2026-56246
Deferred Deferred - Pending Action

Broken Access Control in Capgo Organization API

Vulnerability report for CVE-2026-56246, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key (limited_to_orgs) inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mode API key restricted to one organization, that key can still perform destructive operations (e.g., DELETE /organization, DELETE /organization/members) against another organization. The root cause is route-level authorization (rbac_check_permission_direct) that evaluates the key owner's user privileges before enforcing the API key's limited_to_orgs scope.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56246 is a broken access control vulnerability in Capgo before version 12.128.2 affecting the organization management API. Scoped API keys, which are supposed to be limited to specific organizations, incorrectly inherit the permissions of their owner-user. This means that if a user is an admin in multiple organizations and creates a write-mode API key restricted to one organization, that key can still perform destructive actions against other organizations where the user has admin rights.

The root cause is that the authorization check (rbac_check_permission_direct) evaluates the key owner's user privileges before enforcing the API key's limited_to_orgs scope. As a result, destructive operations like deleting organizations or organization members can be performed across organizations despite the API key's intended restrictions.

Impact Analysis

This vulnerability can lead to unauthorized destructive actions across organizations. An attacker with a scoped API key limited to one organization could delete organizations or organization members in other organizations where the key owner has admin rights.

  • Destructive operations such as DELETE /organization and DELETE /organization/members can be executed against unauthorized organizations.
  • Unauthorized deletion of organization images and stripping of RBAC privileges in organizations where the API key should not have access.

This can result in data loss, disruption of organizational management, and compromise of access controls across multiple organizations.

Detection Guidance

Detection of this vulnerability involves monitoring API usage for unauthorized cross-organization destructive actions, especially calls to endpoints like DELETE /organization and DELETE /organization/members.

Since the vulnerability allows scoped API keys to perform destructive operations outside their intended organization scope, you can look for unexpected DELETE requests originating from API keys scoped to one organization but affecting another.

Suggested commands include inspecting API logs or network traffic for such suspicious DELETE requests. For example, using command-line tools to filter logs:

  • grep 'DELETE /organization' /path/to/api/access.log
  • grep 'DELETE /organization/members' /path/to/api/access.log

Additionally, verify the scope of API keys used in these requests to check if they are performing actions outside their limited_to_orgs scope.

Mitigation Strategies

Immediate mitigation involves upgrading Capgo to version 12.128.2 or later, where the broken access control vulnerability has been fixed.

Until the upgrade is applied, restrict the creation and use of scoped API keys for users who have admin rights in multiple organizations to prevent cross-organization destructive actions.

Also, monitor and audit API key usage closely to detect and block any unauthorized destructive operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56246. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart