PT-2026-56428 · Cap Go · Cap-Go

Zerlyer

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-56246

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key (limited to orgs) inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mode API key restricted to one organization, that key can still perform destructive operations (e.g., DELETE /organization, DELETE /organization/members) against another organization. The root cause is route-level authorization (rbac check permission direct) that evaluates the key owner's user privileges before enforcing the API key's limited to orgs scope.

Exploit

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56246

Affected Products

Cap-Go