PT-2026-54021 · Cap Go · Cap-Go

Judel777

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-56219

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get org user access rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose organization membership, roles, and email addresses via the PostgREST RPC endpoint using only a public API key.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56219

Affected Products

Cap-Go