CVE-2026-56222

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role bindings that fails to verify app id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.