CVE-2026-56253

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2

Description Improper access control in the public.get org members() RPC function allows unauthenticated attackers to enumerate organization members. By using a public sb publishable * key and an organization UUID, attackers can retrieve sensitive member information, including email addresses, user IDs, roles, and pending invitations.

Recommendations Update to version 12.128.2 or later. As a temporary workaround, restrict access to the public.get org members() function to minimize the risk of exploitation.