CVE-2026-56279
Deferred Deferred - Pending Action

Information Disclosure in Capgo via Unauthenticated RPC Access

Vulnerability report for CVE-2026-56279, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Capgo before 12.128.2 contains an information disclosure vulnerability in the get_orgs_v7(userid) RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users' organization membership, roles, management emails, and billing metadata.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56279 is an information disclosure vulnerability in Capgo versions before 12.128.2. It exists in the get_orgs_v7(userid) RPC function, which is intended to be private but remains publicly accessible. This flaw allows unauthenticated attackers to supply arbitrary user UUIDs and retrieve sensitive information about other users, including their organization membership, roles, management emails, and billing metadata.

The root cause of the vulnerability is missing authorization controls, classified under CWE-862, which means the system does not properly restrict access to this private function.

Impact Analysis

This vulnerability can lead to significant information disclosure risks. An attacker can anonymously access sensitive organizational data of other users without authentication.

  • Exposure of organization membership and roles
  • Disclosure of management emails
  • Leakage of billing metadata

Such information can be used for targeted attacks like phishing or tenant intelligence gathering, potentially compromising organizational security and privacy.

Detection Guidance

This vulnerability can be detected by attempting to invoke the get_orgs_v7(userid) RPC function without authentication and observing if sensitive organizational data is returned.

A practical detection method is to send an unauthenticated request to the public PostgREST endpoint calling get_orgs_v7 with arbitrary user UUIDs and check if the response includes organization membership, roles, management emails, or billing metadata.

Example command using curl to test the vulnerability might be:

  • curl -X POST https://<capgo-server>/rpc/get_orgs_v7 -H 'Content-Type: application/json' -d '{"userid":"<arbitrary-user-uuid>"}'

If the response returns sensitive data without authentication, the system is vulnerable.

Mitigation Strategies

Immediate mitigation involves enforcing proper access controls on the get_orgs_v7(userid) RPC function to prevent unauthenticated public access.

Specifically, configure the PostgREST endpoint to restrict invocation of the private overload of get_orgs_v7 to authorized users only, ensuring that anonymous or public roles cannot call this function with user UUID arguments.

Upgrading Capgo to version 12.128.2 or later, where this vulnerability is fixed, is strongly recommended.

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive personal and organizational information such as user organization membership, roles, management emails, and billing metadata. Such unauthorized disclosure of personal and organizational data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

The exposure of management emails and billing metadata could be considered a breach of confidentiality and privacy obligations under these regulations, potentially resulting in legal and financial consequences for affected organizations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56279. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart