Authorization Bypass in Cap-go API for Organizational Membership Data
CVE-2026-56310
5.3MEDIUM
What is CVE-2026-56310?
An authorization bypass vulnerability exists in the Cap-go application prior to version 12.128.2. This flaw enables attackers with organization-limited API keys to circumvent 'limited_to_orgs' restrictions via the GET /organization/members endpoint. As a result, unauthorized users may gain access to sensitive membership information, such as user IDs, email addresses, profile images, roles, and temporary status from organizations outside their designated permissions. This issue poses a significant risk of data leakage and unauthorized access to confidential information.
Affected Version(s)
capgo 0 < 12.128.2
capgo 12.128.2
