Capgo – Cross-Organization App Takeover via Mismatched org_id and app

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.

AI Analysis

Authorization bypass vulnerability in Capgo before 12.128.2 allowing attackers to create role bindings targeting applications owned by other organizations

Basic Information

ID CVE-2026-56222

Source VulnCheck

Published Jun 23, 2026 at 12:12

Affected Product

Vendor Capgo

Product Capgo

Affected Versions Capgo Capgo 0

CWE Classification

CWE-639

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Capgo

Product Capgo

Version before 12.128.2

References

{
    "lastseen": "",
    "description": "Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.",
    "published": "2026-06-23T12:12:55.949Z",
    "modified": "2026-06-23T12:12:55.949Z",
    "type": "cve",
    "title": "Capgo - Cross-Organization App Takeover via Mismatched org_id and app_id in /private/role_bindings",
    "source": "VulnCheck",
    "references": "https://github.com/Cap-go/capgo/security/advisories/GHSA-5r52-m8r9-7f8x\nhttps://www.vulncheck.com/advisories/capgo-cross-organization-app-takeover-via-mismatched-org-id-and-app-id-in-private-role-bindings",
    "id": "CVE-2026-56222",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "Capgo Capgo 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Capgo",
    "version": "0",
    "vendor": "Capgo",
    "ai_description": "Authorization bypass vulnerability in Capgo before 12.128.2 allowing attackers to create role bindings targeting applications owned by other organizations",
    "ai_severity": "High",
    "ai_vendor": "Capgo",
    "ai_product": "Capgo",
    "ai_version": "before 12.128.2",
    "ai_score": 8.6
}

Capgo – Cross-Organization App Takeover via Mismatched org_id and app_id in /private/role_bindings_CVE-2026-56222