Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.
Metrics
Affected Vendors & Products
References
History
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions. | |
| Title | Capgo - Privilege Escalation via Cross-Scope RBAC Role Assignment | |
| Weaknesses | CWE-266 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-06-30T22:08:24.865Z
Reserved: 2026-06-19T21:53:16.001Z
Link: CVE-2026-56247
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-06-30T23:30:04Z