NULL-Auth Bypass Vulnerability in Capgo by Capgo
CVE-2026-56219

8.7HIGH

Key Information:

Vendor

Capgo

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-56219?

Capgo, prior to version 12.128.2, has a vulnerability in the public.get_org_user_access_rbac function that allows attackers to bypass authentication. This flaw can be exploited by unauthenticated users to access sensitive RBAC role bindings and retrieve member email addresses. The vulnerability arises from improper handling of NULL in the authorization logic, which permits unauthorized access through the PostgREST RPC endpoint using only a public API key, leading to potential exposure of organization membership details and roles.

Affected Version(s)

Capgo 0 < 12.128.2

Capgo 12.128.2

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Judel777
.