Description

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails to verify app_id ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by other organizations, enabling unauthorized read and modification of victim applications.

Severity (CVSS)

Base score8.6
SeverityHigh
VersionCVSS 4.0
VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Provided byCNA

Weaknesses

  • CWE-639 — Authorization Bypass Through User-Controlled Key

Affected products

VendorProductVersions
CapgoCapgo0 to <12.128.2; 12.128.2

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 24 Jun 2026 09:35 UTC.