PT-2026-56428 · Cap Go · Cap-Go
Zerlyer
·
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-56246
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key (limited to orgs) inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mode API key restricted to one organization, that key can still perform destructive operations (e.g., DELETE /organization, DELETE /organization/members) against another organization. The root cause is route-level authorization (rbac check permission direct) that evaluates the key owner's user privileges before enforcing the API key's limited to orgs scope.
Exploit
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cap-Go