CVE-2026-56222 | Capgo before 12.128.2 contains an authorization bypass vulne… | CVSS 7.2 HIGH

Description

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.

Metadata

CVE ID: CVE-2026-56222
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-19 21:46 UTC
Published: 2026-06-23 12:12 UTC
Last updated: 2026-06-23 12:12 UTC
Primary CWE: CWE-639
Authorization Bypass Through User-Controlled Key
Vendor / Product: Capgo / Capgo
Sources: cve.org · NVD

Severity & Metrics

7.2 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
Capgo	Capgo	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	Authorization Bypass Through User-Controlled Key

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.6	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
7.2	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References (2)

GitHub Security Advisory (GHSA-5r52-m8r9-7f8x) https://github.com/Cap-go/capgo/security/advisories/GHSA-5r52-m8r9-7f8x
VulnCheck Advisory: Capgo - Cross-Organization App Takeover via Mismatched org_id and app_id in /private/role_bindings https://www.vulncheck.com/advisories/capgo-cross-organization-app-takeover-via-mismatched-org-id-and-app-id-in-private-role-bindings