Broken Access Control Vulnerability in Capgo's Organization Management API
CVE-2026-56246
7.2HIGH
What is CVE-2026-56246?
Capgo versions prior to 12.128.2 exhibit a critical security flaw within the organization management API due to improper access control mechanisms. Specifically, users with administrative privileges across multiple organizations can create scoped API keys restricting them to a single organization. However, the permissions inherited from their user roles permit them to execute destructive actions, such as deleting organizations and their members, in other organizations. This issue arises from a flaw in the route-level authorization process, which improperly evaluates user privileges before applying the key's scope limitations, allowing unauthorized access and potential data compromise.
Affected Version(s)
Capgo 0 < 12.128.2
Capgo 12.128.2
